https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-set/m-p/464229#M428844 <HTML><HEAD></HEAD><BODY><P>You could refer to : <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html</A> for the authorization commands.</P></BODY></HTML> Wed, 20 Jul 2005 15:05:31 GMT pradeepde 2005-07-20T15:05:31Z https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-set/m-p/464228#M428842 <P>Dear Sir, </P><P></P><P>on my ACS v 3.2 windows server, I have configured group A and created one user in it as B, I want this user B to have helpdesk profile i.e. he should only access show commands but it is strange to discover when B type enable he moves in to enable mode (it ask for enable password), I want to restrict B from using enable command, pls.find below mentioned my router client aaa config:- </P><P></P><P>aaa new-model </P><P>aaa authentication login default group tacacs+ local </P><P>aaa authentication login enable group tacacs+ enable </P><P>aaa authentication ppp default local group radius </P><P>aaa authorization exec default group tacacs+ local </P><P>aaa accounting exec default start-stop group tacacs+ </P><P>aaa accounting commands 1 default start-stop group tacacs+ </P><P>aaa accounting commands 7 default start-stop group tacacs+ </P><P>aaa accounting commands 15 default start-stop group tacacs+ </P><P>aaa accounting connection default start-stop group tacacs+ </P><P>aaa session-id common </P><P></P><P>Kindly suggest client and server config to accomplish the needful task.</P><P></P> Sun, 10 Mar 2019 21:13:37 GMT https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-set/m-p/464228#M428842 manishn 2019-03-10T21:13:37Z https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-set/m-p/464229#M428844 <HTML><HEAD></HEAD><BODY><P>You could refer to : <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html</A> for the authorization commands.</P></BODY></HTML> Wed, 20 Jul 2005 15:05:31 GMT https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-set/m-p/464229#M428844 pradeepde 2005-07-20T15:05:31Z https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-set/m-p/464230#M428845 <HTML><HEAD></HEAD><BODY><P>Thats because this is not done at from router level. Such as above your configuration above says to use a tacacs server and if it fails then authenticate and authorize local. So as long as the router can access the tacacs server it will pass it off to the tacacs server for it make that decision and from there pass it back to the router. In other words make your access authorization settings on the ACS server not the router. The router is set up fine as long as you have the tacacs-server command in there specifing what server to use with a key.</P></BODY></HTML> Wed, 20 Jul 2005 20:46:25 GMT https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-set/m-p/464230#M428845 vasthorvak 2005-07-20T20:46:25Z