https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320223#M433457 <HTML><HEAD></HEAD><BODY><P>What if I don't have access to a TACACS+ server? Can it be done in IOS on the box?</P></BODY></HTML> Wed, 19 Oct 2005 13:40:47 GMT mark.webster 2005-10-19T13:40:47Z https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320220#M433454 <P>I use the CISCO Secure ACS 3.3 for windows and 2511 as a Network Access Server with sixteen host map for reverse-telnet. All people use the reverse-telnet connect to my routers. i just want some people can login a part of the routers. I look for some case. but all configuration is for UNIX version. How can config the Windows version ACS authorization user use some host map. </P><P> thanks.</P> Sun, 10 Mar 2019 20:50:03 GMT https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320220#M433454 honggangli 2019-03-10T20:50:03Z https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320221#M433455 <HTML><HEAD></HEAD><BODY><P>This might give you some idea,</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/index.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/index.htm</A></P></BODY></HTML> Thu, 07 Oct 2004 20:27:31 GMT https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320221#M433455 wong34539 2004-10-07T20:27:31Z https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320222#M433456 <HTML><HEAD></HEAD><BODY><P>If you only want certian people to have access to certian devices or certian commands on certian devices, you are going to have to do several things. FIrst you are going to have to use TACASS+ because RADIUS does not support "SHELL COMMAND AUTHORIZATION SETS". You can set this up through the "Shared Profile Components" tab. Here you can specifiy what commands people have access to. Next you have to assign the devices to "Network Device Groups" and users to specific groups. Under the group settings, go to "TACACS+ Setting". Check the Shell(Exec) box and the Privilege level box and assign it to 15. Scroll down to the Shell Command Authorization Set area. Choose the "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option. Here you can assign a specific shell command authorization set to a specific network device group. </P><P></P><P>Then you must configure you device(s) to use this function. Your config should look something like this:</P><P></P><P></P><P>!</P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ line</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa authorization config-commands</P><P>aaa authorization commands 0 default group tacacs+ if-authenticated </P><P>aaa authorization commands 1 default group tacacs+ if-authenticated </P><P>aaa authorization commands 15 default group tacacs+ if-authenticated </P><P>aaa accounting exec default start-stop group tacacs+ </P><P>aaa accounting commands 0 default stop-only group tacacs+ </P><P>aaa accounting commands 1 default stop-only group tacacs+ </P><P>aaa accounting commands 15 default stop-only group tacacs+ </P><P>!</P><P>tacacs-server host x.x.x.x key ***********</P><P></P><P>!</P><P>end</P></BODY></HTML> Fri, 08 Oct 2004 13:30:04 GMT https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320222#M433456 scottosan 2004-10-08T13:30:04Z https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320223#M433457 <HTML><HEAD></HEAD><BODY><P>What if I don't have access to a TACACS+ server? Can it be done in IOS on the box?</P></BODY></HTML> Wed, 19 Oct 2005 13:40:47 GMT https://community.cisco.com/t5/network-access-control/authorization-problem/m-p/320223#M433457 mark.webster 2005-10-19T13:40:47Z