https://community.cisco.com/t5/network-access-control/how-to-hide-line-console-parameters-through-cisco-acs/m-p/1028711#M385043 <HTML><HEAD></HEAD><BODY><P>This thing is possible with local authorization on IOS device. With ACS this is not possible. </P><P></P><P>In acs you can set what all commands a specific user can issue. That feature is called command authorization.</P><P></P><P>For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.</P><P></P><P>Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.</P><P></P><P>Note : Having priv 15 does not mean that user will able to issue all commands.</P><P></P><P>We will set up command authorization on acs to have control on users.</P><P></P><P>This is how your config should look,</P><P></P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P>aaa authorization commands 1 default group tacacs+ if-authenticated</P><P>aaa authorization commands 15 default group tacacs+ if-authenticated</P><P>aaa authorization config-commands</P><P></P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Wed, 09 Jul 2008 12:03:03 GMT Jagdeep Gambhir 2008-07-09T12:03:03Z https://community.cisco.com/t5/network-access-control/how-to-hide-line-console-parameters-through-cisco-acs/m-p/1028710#M384999 <P>Hi,</P><P></P><P>Can any one of you please help me in the following scenario ?</P><P></P><P>I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access. </P><P>Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.</P><P></P><P>Thanks</P> Sun, 10 Mar 2019 22:57:44 GMT https://community.cisco.com/t5/network-access-control/how-to-hide-line-console-parameters-through-cisco-acs/m-p/1028710#M384999 sk_claassic 2019-03-10T22:57:44Z https://community.cisco.com/t5/network-access-control/how-to-hide-line-console-parameters-through-cisco-acs/m-p/1028711#M385043 <HTML><HEAD></HEAD><BODY><P>This thing is possible with local authorization on IOS device. With ACS this is not possible. </P><P></P><P>In acs you can set what all commands a specific user can issue. That feature is called command authorization.</P><P></P><P>For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.</P><P></P><P>Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.</P><P></P><P>Note : Having priv 15 does not mean that user will able to issue all commands.</P><P></P><P>We will set up command authorization on acs to have control on users.</P><P></P><P>This is how your config should look,</P><P></P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P>aaa authorization commands 1 default group tacacs+ if-authenticated</P><P>aaa authorization commands 15 default group tacacs+ if-authenticated</P><P>aaa authorization config-commands</P><P></P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Wed, 09 Jul 2008 12:03:03 GMT https://community.cisco.com/t5/network-access-control/how-to-hide-line-console-parameters-through-cisco-acs/m-p/1028711#M385043 Jagdeep Gambhir 2008-07-09T12:03:03Z