https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485117#M427837 <HTML><HEAD></HEAD><BODY><P>thanks for the links, </P><P>but i cant see any example which will allow me to create my own group with permit and deny commands for pri level of 15. </P><P></P><P>All i want is , one group can change the interface settings and should have the ability to save the config. But they should not be able to issue a sh run or any other command other than the allowed in the list.</P><P></P><P>I will appriciate if some one can give me some examples. The current one which i have allows a user to issue a sh conf command in a CATOS system even though my configuraton on the tacacs server denies that and also its not allowing the user to issue a conf t command, it denies saying command authorisation failed.</P><P></P><P>I'm sure it should be the configuration .Dont know where i'm doing wrong <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P></BODY></HTML> Wed, 25 Jan 2006 08:46:02 GMT trackme 2006-01-25T08:46:02Z https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485115#M427833 <P>I have a tacacs+ server and i need to create a group where a user can only work on the interface paramaters and deny other commands. For example i dont want the user to use "sh run" or "sh start" but can use the "sh interface" command.</P><P></P><P>And also allow him to issue "conf t" ,command ,but need to restrict only to the interface and deny any thing else.</P><P></P><P>Can you send me some examples with this.</P><P></P><P>One more thing should i create two groups one for CATOS and IOS or can i club both commands in a single group</P> Sun, 10 Mar 2019 21:27:06 GMT https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485115#M427833 trackme 2019-03-10T21:27:06Z https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485116#M427834 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I feel you are looking something inline with different privilege levels for different set of users.</P><P></P><P>In which you have the advantage of assisigning different command executing acess to different privilege levels..</P><P></P><P>AFAIK issuing config level commands and issuing show run can only work in EXEC Privilege level which is 15 in other mode i dont think you can give access to work with the configurations.But you can very well give the permissions to view the configs and clear the counters to the privilege levels..</P><P></P><P>do find this link for more info on the same..</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00803f3bb7.html#wp1049664" target="_blank">http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00803f3bb7.html#wp1049664</A></P><P></P><P>regds</P><P></P></BODY></HTML> Wed, 25 Jan 2006 08:05:53 GMT https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485116#M427834 spremkumar 2006-01-25T08:05:53Z https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485117#M427837 <HTML><HEAD></HEAD><BODY><P>thanks for the links, </P><P>but i cant see any example which will allow me to create my own group with permit and deny commands for pri level of 15. </P><P></P><P>All i want is , one group can change the interface settings and should have the ability to save the config. But they should not be able to issue a sh run or any other command other than the allowed in the list.</P><P></P><P>I will appriciate if some one can give me some examples. The current one which i have allows a user to issue a sh conf command in a CATOS system even though my configuraton on the tacacs server denies that and also its not allowing the user to issue a conf t command, it denies saying command authorisation failed.</P><P></P><P>I'm sure it should be the configuration .Dont know where i'm doing wrong <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P></BODY></HTML> Wed, 25 Jan 2006 08:46:02 GMT https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485117#M427837 trackme 2006-01-25T08:46:02Z https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485118#M427838 <HTML><HEAD></HEAD><BODY><P>You can use a single group for the users - reason being here is that a user can only inherit from a single group. I personally would stay away from apply commands under the user profile - rther the group.</P><P>In the group under the section "Shell Command Authorization Set" choose "Per Group Command Authorization" and choose deny for unmatched commands.</P><P></P><P>What you then have to do is check the box next to command and enter configure. Under arguments enter permit terminal.</P><P></P><P>The only problem is that you have to enter a command at a time and then submit and go back into the group and add the second time.</P></BODY></HTML> Wed, 25 Jan 2006 09:09:35 GMT https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485118#M427838 a-larkins 2006-01-25T09:09:35Z https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485119#M427840 <HTML><HEAD></HEAD><BODY><P>hello,</P><P>i use the free TACACS+ server from cisco, all i use is a user file which contains the various groups in that file. I dont have a menu based system where i can add those commands, i have seen that in Cisco ACS but not here <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>The router or the switch reads information from that file only.</P><P></P><P>I dont know how to add these commands via the CLI in this file meaning i dont the exact syntax of adding these commands you mentioned.</P><P></P><P>I have one group which has a default permit any working fine, </P><P></P><P>the issue is with this group only where some commands work which i dont want to work and some dont work which i want to work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>I will appriciate a example with the syntax.</P><P></P><P>For example my files shows like this</P><P></P><P>cmd = show { deny "config" }</P><P> cmd = show { deny "run" }</P><P> cmd = show { deny "start" }</P><P> cmd = show { permit ".*" }</P><P> cmd = enable { permit ".*" }</P><P></P><P>i dont whether is correct or not,but users logged into catOS are able to issue sh conf command <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>but at the same time users logged into IOS are not able to issue sh run or sh conf and denies them command authorisation failed.</P><P></P><P>This is what i want ,but one is allowed in catos and denied in IOS and hence i'm confused for the same user.</P><P>can you help me to fix this so that i dont want any user to issue sh conf in CATOS as well.</P><P></P><P>Also i want to limit the user in IOS to change the interface parameters only which is currently denied.</P><P></P><P>Also send me some links so that i can do some research on that.</P><P></P></BODY></HTML> Wed, 25 Jan 2006 09:40:27 GMT https://community.cisco.com/t5/network-access-control/need-to-restrict-certain-commands-for-tacacs-users/m-p/485119#M427840 trackme 2006-01-25T09:40:27Z