https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036057#M406509 <HTML><HEAD></HEAD><BODY><P>Here are the config required for setting up aaa authentication and authorization.</P><P></P><P></P><P>Router(config)# username [username] password [password]</P><P> tacacs-server host [ip]</P><P> tacacs-server key [key]</P><P> aaa new-model</P><P> aaa authentication login default group tacacs+ local</P><P> aaa authorization exec default group tacacs+ if-authenticated</P><P> aaa authorization commands 1 default group tacacs+ if-authenticated</P><P> aaa authorization commands 15 default group tacacs+ if-authenticated</P><P> aaa authorization config-commands</P><P></P><P>All the best !</P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Thu, 24 Jul 2008 16:15:33 GMT Jagdeep Gambhir 2008-07-24T16:15:33Z https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036053#M406505 <P>I'm configuring several switches and routers for TACACS with ACS SE. I have a need to do three levels of access, the groups are as follows:</P><P>1. Normal read-only access.</P><P>2. Full access with the exception of config t.</P><P>3. Full access.</P><P></P><P>What would be the best way to achieve this goal, I can see that if I create Shell Command Authorization sets on the ACS, I can configure one for group 1 and one for group 3. But will I be able to for Group 2? Is there a way to allow all, but explicitly block one command? Following this page: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A> leads me to believe that the capability may exist, but I have no way to confirm at the moment.</P> Sun, 10 Mar 2019 22:59:34 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036053#M406505 mbonner 2019-03-10T22:59:34Z https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036054#M406506 <HTML><HEAD></HEAD><BODY><P>With command authorization you can control every single command that you want user should be allowed. It covers all mode, enable , user and config mode.</P><P></P><P></P><P>I will post the screen shot shortly.</P><P></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P></P></BODY></HTML> Thu, 24 Jul 2008 11:46:37 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036054#M406506 Jagdeep Gambhir 2008-07-24T11:46:37Z https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036055#M406507 <HTML><HEAD></HEAD><BODY><P>Please see the attachment. </P><P></P><P>After the implementation user will be able to do every thing except config t.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful post</P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Thu, 24 Jul 2008 12:45:33 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036055#M406507 Jagdeep Gambhir 2008-07-24T12:45:33Z https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036056#M406508 <HTML><HEAD></HEAD><BODY><P>Quick follow-up question, what configuration is required on the switch/router for that functionality?</P></BODY></HTML> Thu, 24 Jul 2008 15:49:54 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036056#M406508 mbonner 2008-07-24T15:49:54Z https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036057#M406509 <HTML><HEAD></HEAD><BODY><P>Here are the config required for setting up aaa authentication and authorization.</P><P></P><P></P><P>Router(config)# username [username] password [password]</P><P> tacacs-server host [ip]</P><P> tacacs-server key [key]</P><P> aaa new-model</P><P> aaa authentication login default group tacacs+ local</P><P> aaa authorization exec default group tacacs+ if-authenticated</P><P> aaa authorization commands 1 default group tacacs+ if-authenticated</P><P> aaa authorization commands 15 default group tacacs+ if-authenticated</P><P> aaa authorization config-commands</P><P></P><P>All the best !</P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Thu, 24 Jul 2008 16:15:33 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-design/m-p/1036057#M406509 Jagdeep Gambhir 2008-07-24T16:15:33Z