https://community.cisco.com/t5/network-access-control/shell-command-authorization/m-p/454408#M428295 <HTML><HEAD></HEAD><BODY><P>Thank you for your very helpful respeonse.</P><P></P><P>Nick</P></BODY></HTML> Wed, 02 Nov 2005 11:41:18 GMT stretchlad 2005-11-02T11:41:18Z https://community.cisco.com/t5/network-access-control/shell-command-authorization/m-p/454406#M428292 <P>Hi all</P><P></P><P>I am having a problem with Shell Command Authorization. I have a user setup who I only want to be able to display the config, this is for automated config archival on an hourly basis.</P><P></P><P>I have configuered the device with the following aaa commands:</P><P></P><P>aaa new-model</P><P>aaa group server tacacs+ ACS</P><P>aaa authentication login default group ACS</P><P>aaa authentication login NOAUTH none</P><P>aaa authorization config-commands</P><P>aaa authorization exec default group tacacs+ group ACS</P><P>aaa authorization exec NOAUTH none</P><P>aaa authorization commands 15 default group ACS</P><P>aaa authorization commands 15 NOAUTH none</P><P>aaa accounting commands 15 default start-stop group ACS</P><P></P><P>The static account I have configured logs in ok and can show config etc. Access to conf t is disabled which is good but for some reason he can do any show command instead of just show run which is all I have allowed in the Shell command authorization.</P><P></P><P>Unmatched commands is set to deny and permit unmatched arguements is unchecked.</P><P></P><P>ACS is 3.3(2) and the switch I am testing is running 12.1(9)EA1</P><P></P><P>Any ideas?</P> Sun, 10 Mar 2019 21:21:20 GMT https://community.cisco.com/t5/network-access-control/shell-command-authorization/m-p/454406#M428292 stretchlad 2019-03-10T21:21:20Z https://community.cisco.com/t5/network-access-control/shell-command-authorization/m-p/454407#M428293 <HTML><HEAD></HEAD><BODY><P>Most "show" command are level 1 commands. You can verify this by logging in as a normal user, issue a "sho priv" to ensure you're at level 1, and then type "sho ip route", "sho ver", etc, you'll see that all of them work fine.</P><P></P><P>Your AAA commands only tell the switch to authorize level 15 commands, so when you do a "sho ver" or the like this command will not be sent off to the ACS server for authorization.</P><P></P><P>If you add the following:</P><P><B></B></P><P>aaa authorization commands 1 default group ACS</P><P></P><P>then that shoud fix it, but be careful because it's easy to lock yourself out of being able to get into enable mode (add "enable" into your command set too).</P><P></P><P>You should also have noticed that all those "show" commands weren't being accounted either, because you have also only enabled accounting for level 15 commands.</P></BODY></HTML> Thu, 27 Oct 2005 05:10:59 GMT https://community.cisco.com/t5/network-access-control/shell-command-authorization/m-p/454407#M428293 gfullage 2005-10-27T05:10:59Z https://community.cisco.com/t5/network-access-control/shell-command-authorization/m-p/454408#M428295 <HTML><HEAD></HEAD><BODY><P>Thank you for your very helpful respeonse.</P><P></P><P>Nick</P></BODY></HTML> Wed, 02 Nov 2005 11:41:18 GMT https://community.cisco.com/t5/network-access-control/shell-command-authorization/m-p/454408#M428295 stretchlad 2005-11-02T11:41:18Z