https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699876#M248140 <HTML><HEAD></HEAD><BODY><H3>Configuring a Shell Command&nbsp; Authorization Set for a User </H3><P> is it <STRONG>Group?</STRONG></P><P> Yes it is</P><P></P><P>The same link i followed for my config setup</P></BODY></HTML> Fri, 10 Jun 2011 13:01:49 GMT sridhar.gogineni 2011-06-10T13:01:49Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699870#M248039 <P>I am trying to create a user so that i can provide him only to run show commands nothing else.</P><P>1) Created a user in ACS</P><P></P><P>2) Create Shell command Autorization Set - ReadOnly</P><P></P><P> Unmatched Commands - Deny</P><P></P><P> Commands Added</P><P></P><P>show</P><P></P><P>exit</P><P></P><P>3) Created a group - HelpDesk with the following TACACS+ Settings</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Shell (exec) is checked</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Priviledge level is check with 15 as the assigned level</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Assign a Shell Command Authorization Set for any network device - selected</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadOnly - shell command autorization set seleted</P><P></P><P>I have configured following on my router</P><P></P><P>aaa authorization config-commands</P><P>aaa authorization commands 0 default&nbsp; group tacacs+ local</P><P>aaa authorization commands 1 default&nbsp; group tacacs+ local</P><P>aaa authorization commands 15 default group tacacs+ local</P><P></P><P></P><P>But still user can run config t and other commands.Some one help me how to fix this</P> Mon, 11 Mar 2019 01:09:33 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699870#M248039 sridhar.gogineni 2019-03-11T01:09:33Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699871#M248051 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you check the user authorization profile? is it inherited from the group?</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P>Anisha</P><P></P><P>P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. </P></BODY></HTML> Fri, 10 Jun 2011 11:38:08 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699871#M248051 andamani 2011-06-10T11:38:08Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699872#M248067 <HTML><HEAD></HEAD><BODY><P>Sorry i am bit new where can i check </P><P>Can you check the user authorization profile?</P><P></P><P>You mean </P><P>Group to which the user is assigned:</P><P></P><P>If that is the case we have assigned to correct group</P></BODY></HTML> Fri, 10 Jun 2011 11:42:16 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699872#M248067 sridhar.gogineni 2011-06-10T11:42:16Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699873#M248082 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>yes. So does the user inherit the authorization profile from the group or it does not?</P><P></P><P>Regards,</P><P>Anisha</P><P></P><P>P.S.: please mark this thread as answered if you feel your query is&nbsp; resolved. Do rate helpful posts. </P></BODY></HTML> Fri, 10 Jun 2011 12:45:07 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699873#M248082 andamani 2011-06-10T12:45:07Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699874#M248101 <HTML><HEAD></HEAD><BODY><P>Thanks for your help</P><P></P><P>So does the user inherit the authorization profile from the group or it does not?</P><P></P><P>Yes,But as i told before Shell command Autorization Set is not working and user can access conf t command.I only want to use them show commands which i have configured (explained in first post)</P></BODY></HTML> Fri, 10 Jun 2011 12:50:19 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699874#M248101 sridhar.gogineni 2011-06-10T12:50:19Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699875#M248121 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am trying to figure what might be the case. Hence asking you the question.</P><P></P><P>Which option is checked in the </P><H3>Configuring a Shell Command&nbsp; Authorization Set for a User </H3><P> is it <STRONG>Group?</STRONG></P><P></P><P>The configruation seems fine to me. Just for one more configuration can you please check if the configuration is as per the link:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A></P><P></P><P>Regards,</P><P>Anisha</P><P></P><P>P.S.: please mark this thread as answered if you&nbsp; feel your query is&nbsp; resolved. Do rate helpful posts. </P></BODY></HTML> Fri, 10 Jun 2011 12:59:18 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699875#M248121 andamani 2011-06-10T12:59:18Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699876#M248140 <HTML><HEAD></HEAD><BODY><H3>Configuring a Shell Command&nbsp; Authorization Set for a User </H3><P> is it <STRONG>Group?</STRONG></P><P> Yes it is</P><P></P><P>The same link i followed for my config setup</P></BODY></HTML> Fri, 10 Jun 2011 13:01:49 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699876#M248140 sridhar.gogineni 2011-06-10T13:01:49Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699877#M248158 <HTML><HEAD></HEAD><BODY><P>hmmm.. Ok. So what do the TACACS Administration logs say when you log in and try the "config t" command ? i.e. reports and activity &gt; Tacacs administration &gt; active.</P><P></P><P>Regards,</P><P>Anisha</P><P></P><P>P.S.: please mark this thread as answered if you&nbsp; feel your query is&nbsp; resolved. Do rate helpful posts. </P></BODY></HTML> Fri, 10 Jun 2011 14:04:55 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699877#M248158 andamani 2011-06-10T14:04:55Z https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699878#M248172 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #800000;">Looks like user is not getting mapped with the respective group or user is also configured for shell command authorization set and taking precedence over group.</SPAN></P><P></P><P><SPAN style="color: #800000;">Run the following debugs on the IOS device</SPAN></P><P></P><P><SPAN style="color: #800000;">debug tacacs</SPAN></P><P><SPAN style="color: #800000;">debug aaa authen</SPAN></P><P><SPAN style="color: #800000;">debug aaa autho</SPAN></P><P><SPAN style="color: #800000;">term mon</SPAN></P><P></P><P><SPAN style="color: #800000;">Run "config t" command, on the ACS logs look for the group you are getting mapped and match with the group name you want it to map with.</SPAN></P><P></P><P><SPAN style="color: #800000;">Rgds, Jatin</SPAN></P><P></P><P></P><P><SPAN style="color: #800000;">Do rate helpful posts-</SPAN></P></BODY></HTML> Sun, 12 Jun 2011 15:38:52 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-4-2-providing-show-commands-only/m-p/1699878#M248172 Jatin Katyal 2011-06-12T15:38:52Z