topic Since you already have in Network Access Control

ACS 4.1 Shell command Authorization set - VLAN configuration

Richard Rowe — Mon, 11 Mar 2019 04:34:41 GMT

I am looking to limit certain users on which VLANs they can set on switch ports. I have the following configured on the command "switchport":

deny access vlan 11
permit access vlan 10
permit access vlan 13
permit access vlan 40
permit access vlan 50
permit access vlan 60
permit access vlan 101

But it is still allowing "switchport access vlan 11" to be a viable command on that group. I do not have "permit unmatched args" checked and I have the "Unmatched Commands" set to deny. It's as if the "switchport access" portion is being acknowledged but the rest is ignored. Can you only put a single argument per command? If that is the case, I tried adding a command of "vlan" and limiting it similarly to deny 11 and allow the rest, but that also didn't work.

Since you already have

Jatin Katyal — Thu, 27 Mar 2014 03:21:10 GMT

Since you already have "unmatched commads" set to DENY and "permit unmatched args" is uncheceked than you don't need explicit "deny access vlan 11". Can you remove it from there and try again.

In case it doesn't work, please get following information:

debug aaa authen

debug aaa autho

debug tacacs

Regards,

Jatin Katyal

*Do rate helpful posts*

Ahh gezz, I found the problem

Richard Rowe — Thu, 27 Mar 2014 11:54:02 GMT

Ahh gezz, I found the problem after doing the debugs - some of my AAA configuration was missing from the particular switch I was having an issue with.

Thanks for the reply though. Wouldn't have known the right debugging to try so that helps for future troubleshooting.

No worries. Keep posting.

Jatin Katyal — Thu, 27 Mar 2014 13:57:04 GMT

No worries. Keep posting.

Regards,

Jatin Katyal

*Do rate helpful posts*