https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635159#M74652 <P>If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.&nbsp;</P><P>&nbsp;</P><P><EM style="font-size: 14.3999996185303px; background-color: rgb(249, 249, 249);">Thank you for rating helpful posts!</EM></P><P>&nbsp;</P> Tue, 10 Feb 2015 18:49:26 GMT nspasov 2015-02-10T18:49:26Z https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635156#M74645 <P>Hi there,</P><P>&nbsp;</P><P>I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.</P><P>We use an AAA setup with Cisco ACS. On the devices we use:</P><P><SPAN style="font-size:11px;"><SPAN style="font-family: courier new,courier,monospace;">aaa authorization config-commands<BR />aaa authorization commands 1 default group tacacs+ local<BR />aaa authorization commands 5 default group tacacs+ local<BR />aaa authorization commands 15 default group tacacs+ local</SPAN></SPAN><BR />&nbsp;</P><P>is it possible, to exclude an&nbsp; user, say User1, from being command authorized?</P><P>In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.</P><P>We tried this with method lists in combination with ACL's on the VTY's:</P><P>&nbsp;</P><P><SPAN style="font-size:11px;"><SPAN style="font-family: courier new,courier,monospace;">line VTY 0</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family: courier new,courier,monospace;">access-class 1 in</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:11px;"><SPAN style="font-family: courier new,courier,monospace;">line VTY 1</SPAN></SPAN></P><P><SPAN style="font-size:11px;"><SPAN style="font-family: courier new,courier,monospace;">access-class 2 in</SPAN></SPAN></P><P>&nbsp;</P><P>Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.</P><P>But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.</P><P>&nbsp;</P><P>Does anyone have some tips/tricks how to handle this?</P><P>Maybe a custom attribute from the ACS?</P><P>&nbsp;</P><P>Kind Regards</P><P>&nbsp;</P> Mon, 11 Mar 2019 05:25:48 GMT https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635156#M74645 diondohmen 2019-03-11T05:25:48Z https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635157#M74648 <P>Where does the user you are trying to block reside? Locally on the device, AD or in the ACS database?</P><P>&nbsp;</P><P><EM style="font-size: 14.3999996185303px; background-color: rgb(249, 249, 249);">Thank you for rating helpful posts!</EM></P> Tue, 10 Feb 2015 02:23:39 GMT https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635157#M74648 nspasov 2015-02-10T02:23:39Z https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635158#M74649 <P>We have a RADIUS backend where the user resides</P> Tue, 10 Feb 2015 07:45:24 GMT https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635158#M74649 diondohmen 2015-02-10T07:45:24Z https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635159#M74652 <P>If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.&nbsp;</P><P>&nbsp;</P><P><EM style="font-size: 14.3999996185303px; background-color: rgb(249, 249, 249);">Thank you for rating helpful posts!</EM></P><P>&nbsp;</P> Tue, 10 Feb 2015 18:49:26 GMT https://community.cisco.com/t5/network-access-control/exclude-specific-user-from-aaa-authorization-commands/m-p/2635159#M74652 nspasov 2015-02-10T18:49:26Z