https://community.cisco.com/t5/network-access-control/prevent-excecuting-commands/m-p/361306#M430341 <P>We have a tacacs+ 3.2 server running on windows. </P><P>What do i need to prevent users excecuting commands like 'reload' and 'sh ip route' on the enable level.</P><P>and commands in the config mode ('no ip router bgp').</P><P></P><P>I'm looking for examples of configs on the router.</P><P>But most of all, how do I configure the tacacs+ server.</P><P></P><P>Greetings</P><P>Jeroen</P> Sun, 10 Mar 2019 20:53:08 GMT vos123 2019-03-10T20:53:08Z https://community.cisco.com/t5/network-access-control/prevent-excecuting-commands/m-p/361306#M430341 <P>We have a tacacs+ 3.2 server running on windows. </P><P>What do i need to prevent users excecuting commands like 'reload' and 'sh ip route' on the enable level.</P><P>and commands in the config mode ('no ip router bgp').</P><P></P><P>I'm looking for examples of configs on the router.</P><P>But most of all, how do I configure the tacacs+ server.</P><P></P><P>Greetings</P><P>Jeroen</P> Sun, 10 Mar 2019 20:53:08 GMT https://community.cisco.com/t5/network-access-control/prevent-excecuting-commands/m-p/361306#M430341 vos123 2019-03-10T20:53:08Z https://community.cisco.com/t5/network-access-control/prevent-excecuting-commands/m-p/361307#M430343 <HTML><HEAD></HEAD><BODY><P>You will need to create a Shell Command Authorization Set. That is located Shared Profile Components/ Shell Command Authorization Sets. After you create a Shell Command Authorization Set, you need to apply it to the group that the user is a member of. On the router, you need to make sure it checks with the ACS server for every command entered. That is done with the command:</P><P></P><P>aaa authorization commands 15 default group tacacs+ none</P></BODY></HTML> Wed, 10 Nov 2004 21:24:30 GMT https://community.cisco.com/t5/network-access-control/prevent-excecuting-commands/m-p/361307#M430343 cdwyer 2004-11-10T21:24:30Z