https://community.cisco.com/t5/network-access-control/user-restrictions-via-tac/m-p/906224#M408474 <HTML><HEAD></HEAD><BODY><P>I think the reason that you are able to use ping command is, because "ping" command level is not being authorized.</P><P></P><P>i.e. by default on IOS device we have three level, namely 0, 1 and 15.</P><P></P><P>At level zero you have command: disable, enable, exit, help, and logout</P><P></P><P>I think ping command is either at level 1 or 15, given you have not changed the level of command.</P><P></P><P>So I would suggest following,</P><P></P><P>aaa authorization commands 0 AUTHO-VTY group tacacs+</P><P>aaa authorization commands 1 AUTHO-VTY group tacacs+</P><P>aaa authorization commands 15 AUTHO-VTY group tacacs+</P><P></P><P>line vty 0 903</P><P> no authorization commands 0 en0</P><P> no authorization commands 5 RESTRICT</P><P> authorization commands 0 AUTHO-VTY</P><P> authorization commands 1 AUTHO-VTY</P><P> authorization commands 15 AUTHO-VTY</P><P></P><P>And then configure permitted or denied commands accordingly on Tacacs server user profile.</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Thu, 25 Oct 2007 22:33:22 GMT Premdeep Banga 2007-10-25T22:33:22Z https://community.cisco.com/t5/network-access-control/user-restrictions-via-tac/m-p/906223#M408473 <P>hi @all,</P><P></P><P>i'm trying to restrict a user with tacacs+. the relevant router &amp; tac.-config are as following:</P><P></P><P>ios:</P><P></P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login console group tacacs+ local enable</P><P>aaa authentication login vty group tacacs+ local enable</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization commands 0 en0 group tacacs+</P><P>aaa authorization commands 5 RESTRICT group tacacs+</P><P>!</P><P>aaa session-id common</P><P>!</P><P>line con 0</P><P> exec-timeout 0 0</P><P> logging synchronous</P><P> login authentication console</P><P>line aux 0</P><P>line vty 0 903</P><P> authorization commands 0 en0</P><P> authorization commands 5 RESTRICT</P><P> logging synchronous</P><P> login authentication vty</P><P> transport input ssh</P><P></P><P>tacacs:</P><P></P><P> user = guck {</P><P></P><P> login = cleartext guck</P><P></P><P> service = shell { priv_level = 5 }</P><P> cmd = enable { deny .* }</P><P> cmd = show { permit ver deny .* }</P><P> cmd = traceroute { permit .* }</P><P> cmd = exit { permit .* }</P><P> }</P><P></P><P>it's partially working, so i can't execute the enable command, but i can do a lot more than "show ver" as intended, and more than traceroute and exit. i can execute ping as well and various other commands. now i'd like to know if it's possible at all to restrict a user to the above mentioned commands in conjunction with tacacs, or doesn't this work that way?</P><P></P><P>tia</P><P>br</P><P></P><P>erik</P> Sun, 10 Mar 2019 22:28:27 GMT https://community.cisco.com/t5/network-access-control/user-restrictions-via-tac/m-p/906223#M408473 erik.neuwirth 2019-03-10T22:28:27Z https://community.cisco.com/t5/network-access-control/user-restrictions-via-tac/m-p/906224#M408474 <HTML><HEAD></HEAD><BODY><P>I think the reason that you are able to use ping command is, because "ping" command level is not being authorized.</P><P></P><P>i.e. by default on IOS device we have three level, namely 0, 1 and 15.</P><P></P><P>At level zero you have command: disable, enable, exit, help, and logout</P><P></P><P>I think ping command is either at level 1 or 15, given you have not changed the level of command.</P><P></P><P>So I would suggest following,</P><P></P><P>aaa authorization commands 0 AUTHO-VTY group tacacs+</P><P>aaa authorization commands 1 AUTHO-VTY group tacacs+</P><P>aaa authorization commands 15 AUTHO-VTY group tacacs+</P><P></P><P>line vty 0 903</P><P> no authorization commands 0 en0</P><P> no authorization commands 5 RESTRICT</P><P> authorization commands 0 AUTHO-VTY</P><P> authorization commands 1 AUTHO-VTY</P><P> authorization commands 15 AUTHO-VTY</P><P></P><P>And then configure permitted or denied commands accordingly on Tacacs server user profile.</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Thu, 25 Oct 2007 22:33:22 GMT https://community.cisco.com/t5/network-access-control/user-restrictions-via-tac/m-p/906224#M408474 Premdeep Banga 2007-10-25T22:33:22Z https://community.cisco.com/t5/network-access-control/user-restrictions-via-tac/m-p/906225#M408477 <HTML><HEAD></HEAD><BODY><P>hi Prem,</P><P></P><P>thank you very much for your help! you hit the bull's-eye!!!!</P><P></P><P>br</P><P></P><P>erik</P></BODY></HTML> Fri, 26 Oct 2007 07:15:04 GMT https://community.cisco.com/t5/network-access-control/user-restrictions-via-tac/m-p/906225#M408477 erik.neuwirth 2007-10-26T07:15:04Z