https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-on-acs/m-p/432126#M428909 <HTML><HEAD></HEAD><BODY><P>Dear Sir,</P><P></P><P>on my ACS v 3.2 windows server, I have configured group A and created one user B, I want this user B to have helpdesk profile i.e. he should only access show commands but it is strange to discover when B type enable he moves in to enable mode (it ask for enable password), I want to restrict B from using enable command, pls.find below mentioned my router aaa config:-</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login enable group tacacs+ enable</P><P>aaa authentication ppp default local group radius</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P>aaa accounting commands 7 default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>aaa accounting connection default start-stop group tacacs+</P><P>aaa session-id common</P><P></P><P>Kindly guide me as what parameter needs to be set at ACS server command authorisation set feature.</P><P></P></BODY></HTML> Wed, 13 Jul 2005 11:57:52 GMT manishn 2005-07-13T11:57:52Z https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-on-acs/m-p/432124#M428906 <P>could anyone help telling the exact procedure of configuring user authorization on cisco ios router via acs server.my users are getting authenticated via the acs server but unable to authorize the commands they execute on the ios router.</P><P></P><P>my commands on the aa client :</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+</P><P>aaa authorization exec default group tacacs+</P><P>user john privilege 5 password john</P><P></P><P>pls help me on this . </P> Sun, 10 Mar 2019 21:12:38 GMT https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-on-acs/m-p/432124#M428906 sebastan_bach 2019-03-10T21:12:38Z https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-on-acs/m-p/432125#M428907 <HTML><HEAD></HEAD><BODY><P>Try this:</P><P>aaa authentication login default group tacacs+ local</P><P></P><P>aaa authorization exec default group tacacs+ local</P><P>aaa authorization exec xxxxx group tacacs+ local</P><P>aaa authorization commands 1 default group tacacs+ local</P><P>aaa authorization commands 15 xxxxx group tacacs+ local</P><P></P><P>Then you need to go to your ACS sever and create a shell command set under Shared Profile components</P><P></P><P>The shell command set should look something like this:</P><P>(main cmd) configure</P><P>(sub cmds)</P><P>permit terminal</P><P>permit interface</P><P>permit fastethernet</P><P>permit switcthport</P><P>permit access</P><P>permit vlan</P><P>permit mode</P><P>permit spanning-tree</P><P>permit portfast</P><P>permit port-security </P><P></P><P>Check the permit box. If you want to deny them the cmd the replace permit with deny.</P><P></P><P>You can also check permit unmatched cmds arguments.</P><P>An example would be:</P><P></P><P>Clear (main cmd)</P><P>with the box checked they would have access to all of the sub commands. IE: clear counters etc...</P><P></P><P>To check and see if it is working place these lines in your aaa config:</P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P></P><P>This will show you what cmds are being run in the T+ admin section of ACS. CMDs that are access that they don't have access to will show up in the Failed attempts.</P><P></P><P>On a side note:</P><P>This line in your config only effects the local user name and not the ACS user name</P><P></P><P>user john privilege 5 password john</P><P></P><P>To get this to work you need to change the privilege level of the commands that you want them to have to privilege level 5 if you have a lot of AAA devices it is best to do it though the ACS server. </P><P></P></BODY></HTML> Tue, 05 Jul 2005 11:28:15 GMT https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-on-acs/m-p/432125#M428907 dan.reynolds 2005-07-05T11:28:15Z https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-on-acs/m-p/432126#M428909 <HTML><HEAD></HEAD><BODY><P>Dear Sir,</P><P></P><P>on my ACS v 3.2 windows server, I have configured group A and created one user B, I want this user B to have helpdesk profile i.e. he should only access show commands but it is strange to discover when B type enable he moves in to enable mode (it ask for enable password), I want to restrict B from using enable command, pls.find below mentioned my router aaa config:-</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login enable group tacacs+ enable</P><P>aaa authentication ppp default local group radius</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P>aaa accounting commands 7 default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>aaa accounting connection default start-stop group tacacs+</P><P>aaa session-id common</P><P></P><P>Kindly guide me as what parameter needs to be set at ACS server command authorisation set feature.</P><P></P></BODY></HTML> Wed, 13 Jul 2005 11:57:52 GMT https://community.cisco.com/t5/network-access-control/help-needed-on-command-authorization-on-acs/m-p/432126#M428909 manishn 2005-07-13T11:57:52Z