https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707285#M265242 <HTML><HEAD></HEAD><BODY><P>it works after adding:</P><P>"aaa authorization config-commands"</P><P></P><P>I cannot exec any "config mode" commands anymore.</P><P></P><P>thanks a lot</P></BODY></HTML> Wed, 26 Oct 2011 08:09:01 GMT d1pol01978 2011-10-26T08:09:01Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707281#M265091 <P>HI ,</P><P></P><P>I had insatalled the ACS 5.2 on Vmware . </P><P>As per my requirement i need to configure a user to restricted privilege so that he should be able to execute only the below commands on the switch .</P><P></P><P>Show ver</P><P>Show interfaces</P><P>Show ip Interface Brief</P><P>Configure terminal</P><P>Interface &lt;interface name &gt; </P><P>Shutdown</P><P>No shutdown</P><P></P><P>The users should not be authorized to execute any other commands than above listed one .</P><P></P><P>After the configuration i was not able to restrict the config mode commands . Once the user is&nbsp; authoized for&nbsp; Configure terminal access&nbsp; he will have full access on the device&nbsp; . </P><P></P><P>Please let me know how to configure the command set only to allow&nbsp; interface access and he should be able to apply Shutdown and No shutdown command . </P><P></P><P></P><P>Please find the attached command set&nbsp; screen shot . ( I tried disabling IP Routing command but the same was getting authorized )</P><P></P><P></P><P></P><P>Regards,</P><P>Angus</P> Mon, 11 Mar 2019 01:12:42 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707281#M265091 Angus Bishop 2019-03-11T01:12:42Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707282#M265135 <HTML><HEAD></HEAD><BODY><P>Did you also configure the appropriate aaa commands on the switch? Please paste the "show run | in aaa" output from the switch. </P></BODY></HTML> Fri, 08 Jul 2011 12:44:55 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707282#M265135 zhenningx 2011-07-08T12:44:55Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707283#M265166 <HTML><HEAD></HEAD><BODY><P>I'm having exactly the same problem:</P><P></P><P>my aaa conf:</P><P>aaa new-model</P><P>aaa authentication attempts login 10</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login LOC line local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ local if-authenticated </P><P>aaa authorization commands 1 default group tacacs+ local if-authenticated </P><P>aaa authorization commands 15 default group tacacs+ local if-authenticated </P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>aaa accounting network default start-stop group tacacs+</P><P>aaa accounting connection default start-stop group tacacs+</P><P>aaa accounting system default start-stop group tacacs+</P><P>aaa session-id common</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/3/8/3/65383-Screen%20Shot%202011-10-25%20at%205.49.05%20PM.png" class="jive-image" /></P><P></P><P>Once I add permit configure terminal, user can do "conf t" and then execute ANY commands.</P></BODY></HTML> Tue, 25 Oct 2011 15:50:16 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707283#M265166 d1pol01978 2011-10-25T15:50:16Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707284#M265221 <HTML><HEAD></HEAD><BODY><P>try to add command:</P><P></P><P>aaa authorization config-commands</P></BODY></HTML> Tue, 25 Oct 2011 16:03:39 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707284#M265221 zhenningx 2011-10-25T16:03:39Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707285#M265242 <HTML><HEAD></HEAD><BODY><P>it works after adding:</P><P>"aaa authorization config-commands"</P><P></P><P>I cannot exec any "config mode" commands anymore.</P><P></P><P>thanks a lot</P></BODY></HTML> Wed, 26 Oct 2011 08:09:01 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707285#M265242 d1pol01978 2011-10-26T08:09:01Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707286#M265274 <HTML><HEAD></HEAD><BODY><P>I would like to check this command set work only for telnet but not for console ?</P></BODY></HTML> Thu, 29 Nov 2012 05:36:35 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707286#M265274 kapildev.bhatnagar 2012-11-29T05:36:35Z https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707287#M265295 <HTML><HEAD></HEAD><BODY><P>The IOS devices are designed to not get affected by authorization in the console port, to enable authorization in the console you need:</P><P></P><P>aaa authorization console</P><P></P><P>Make sure that you have full access from a remote connection before trying this command or you may get locked out if it's not properly configured.</P><P></P><P></P><P>Let me know if it helps.</P></BODY></HTML> Thu, 29 Nov 2012 13:07:32 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-command-set-issue/m-p/1707287#M265295 mauzamor 2012-11-29T13:07:32Z