topic Re: Shell Commands Authorisation Set in Network Access Control https://community.cisco.com/t5/network-access-control/shell-commands-authorisation-set/m-p/265916#M434557 <HTML><HEAD></HEAD><BODY><P>You're close. "sho ver" is a level 1 command, not a level 15 (enable) command, so add the following:</P><P><B></B></P><P>aaa authorization commands 1 default tacacs</P><P></P><P>You have to do TACACS authentication cause there's no such thing as Radius command authorization. </P><P></P><P>Also, you don't reference your Command Set in the "aaa author" command on the device, it doesn't care what that name is cause it's ACS specific. </P><P></P><P>Also, what I've shown you above will enable command authorization for all users, so for users that you want to be able to do everything, add another Shell Command Authorisation Set onto the ACS server that permits everything, and apply it to the users with no restrictions.</P></BODY></HTML> Fri, 16 Apr 2004 04:59:20 GMT gfullage 2004-04-16T04:59:20Z Shell Commands Authorisation Set https://community.cisco.com/t5/network-access-control/shell-commands-authorisation-set/m-p/265915#M434556 <P>Hi</P><P></P><P>I wonder if you guys can help with something I'm trying out. </P><P></P><P>We are using CiscoSecure 3.2. At the moment all users with ACS accounts have full access to the routers/switches once they have authenticated. But we have a group of users who could do some simple stuff for us (I'm thinking of allowing them to change speed/duplex and vlans on fe interfaces on edge switches.) But I would rather they didn't have full access for obvious reasons!</P><P></P><P>So I have created a Shell Command Authorisation Set with a command of show and an arguement of permit version (I'm move on the more complex commands once I've mastered this one!) and denied unmatched commands. Within the group to which my test user belongs I have assigned my command set.</P><P></P><P>I don't think I've gone too far wrong here. But, what config do I need to apply to the network devices? At the moment while I am able to authenticate with my test user they have full and complete access once authenticated.</P><P></P><P>I've added this line:</P><P>aaa authorization commands 15 RepAccess &lt;my command set&gt; if-authenticated</P><P></P><P>Where am I going wrong? Any pointers gratefully received.</P><P>Many thanks</P><P>Carolyn</P> Sun, 10 Mar 2019 14:45:16 GMT https://community.cisco.com/t5/network-access-control/shell-commands-authorisation-set/m-p/265915#M434556 cmacinnes 2019-03-10T14:45:16Z Re: Shell Commands Authorisation Set https://community.cisco.com/t5/network-access-control/shell-commands-authorisation-set/m-p/265916#M434557 <HTML><HEAD></HEAD><BODY><P>You're close. "sho ver" is a level 1 command, not a level 15 (enable) command, so add the following:</P><P><B></B></P><P>aaa authorization commands 1 default tacacs</P><P></P><P>You have to do TACACS authentication cause there's no such thing as Radius command authorization. </P><P></P><P>Also, you don't reference your Command Set in the "aaa author" command on the device, it doesn't care what that name is cause it's ACS specific. </P><P></P><P>Also, what I've shown you above will enable command authorization for all users, so for users that you want to be able to do everything, add another Shell Command Authorisation Set onto the ACS server that permits everything, and apply it to the users with no restrictions.</P></BODY></HTML> Fri, 16 Apr 2004 04:59:20 GMT https://community.cisco.com/t5/network-access-control/shell-commands-authorisation-set/m-p/265916#M434557 gfullage 2004-04-16T04:59:20Z