https://community.cisco.com/t5/network-access-control/problem-with-command-authorisation-with-acs/m-p/506403#M9142 <HTML><HEAD></HEAD><BODY><P>hi thanks. yeah i tried that but it's still ain't working. someone told me that in acs command authorisation will not work for privilege level commands. that we cannot move the level 1 commands from one user to the other.say i have 2 users one at level 5 and other at level 7 . the ping command is available for both the users. so if i move the command from level 5 to level 7 then this command should only be to level 7 user. still level 5 users can execute ping command. i hope u understand the problem i am facing here. i can achieve this from local command authorisation on the router but not with acs server. waiting for ur reply.</P><P></P><P>sebastan </P></BODY></HTML> Sat, 08 Apr 2006 02:53:30 GMT sebastan_bach 2006-04-08T02:53:30Z https://community.cisco.com/t5/network-access-control/problem-with-command-authorisation-with-acs/m-p/506401#M9140 <P>R1 </P><P>i have not posted the local aaa config. i am using acs server 3.3 trial version. </P><P></P><P>aaa authentication login cisco group tacacs+</P><P>aaa authoristion exec cisco group tacacs+</P><P>aaa authorisation commands 10 cisco group tacacs+</P><P></P><P>line vty 0 4</P><P>login authentication cisco</P><P>authorisation exec cisco </P><P>authorisation commands 10 cisco</P><P> </P><P>on the acs server </P><P></P><P>i have created user cisco</P><P></P><P>x shell</P><P>.priviledge level =10</P><P>x per user command authorization</P><P>unmatched cisco IOS command: deny</P><P>x command</P><P>show</P><P>arguments: permit ruuning-config</P><P>unlisted argument: deny</P><P></P><P>when this user logs in the router . he gets authenticated and authorised as privilege level 10 </P><P>but he cannot issue the command show running-config. is this because i am using a trial version.i am not sure abt it. </P><P></P><P>i am also not able to move commands to higher privilege levels . </P><P></P><P>i created a another user with privilege level 14 name john </P><P></P><P>x shell</P><P>.priviledge level =14</P><P>x per user command authorization</P><P>unmatched cisco IOS command: deny</P><P>x command</P><P>ping </P><P>arguments: </P><P>unlisted argument: deny</P><P></P><P>with this the ping command should not be available to the level 10 user but it is. the level 10 user is still able to issue the command. </P><P></P><P>can anyone pls help me with this configuration. </P><P></P><P>sebastan</P><P></P> Fri, 21 Feb 2020 18:15:17 GMT https://community.cisco.com/t5/network-access-control/problem-with-command-authorisation-with-acs/m-p/506401#M9140 sebastan_bach 2020-02-21T18:15:17Z https://community.cisco.com/t5/network-access-control/problem-with-command-authorisation-with-acs/m-p/506402#M9141 <HTML><HEAD></HEAD><BODY><P>This is happening because by default, all commands are either in level 1 or level 15. The "show runn" command is at level 15 by default. So, if the user is at level 10, he will not be able to execute the "sh runn" command. You need to move the "sh runn" command from existing level 15 to level 10 using the "privilege exec" command.</P></BODY></HTML> Fri, 07 Apr 2006 15:37:16 GMT https://community.cisco.com/t5/network-access-control/problem-with-command-authorisation-with-acs/m-p/506402#M9141 vkapoor5 2006-04-07T15:37:16Z https://community.cisco.com/t5/network-access-control/problem-with-command-authorisation-with-acs/m-p/506403#M9142 <HTML><HEAD></HEAD><BODY><P>hi thanks. yeah i tried that but it's still ain't working. someone told me that in acs command authorisation will not work for privilege level commands. that we cannot move the level 1 commands from one user to the other.say i have 2 users one at level 5 and other at level 7 . the ping command is available for both the users. so if i move the command from level 5 to level 7 then this command should only be to level 7 user. still level 5 users can execute ping command. i hope u understand the problem i am facing here. i can achieve this from local command authorisation on the router but not with acs server. waiting for ur reply.</P><P></P><P>sebastan </P></BODY></HTML> Sat, 08 Apr 2006 02:53:30 GMT https://community.cisco.com/t5/network-access-control/problem-with-command-authorisation-with-acs/m-p/506403#M9142 sebastan_bach 2006-04-08T02:53:30Z