Solved: Re: ACS 3.3 Config Command Authorization

bpotschien · ‎12-30-2004

Hi,

I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!

The debug says:

1w2d: AAA/AUTHOR: config command authorization not enabled

How can I enable this and how/where can I configure it on the ACS?

Thanks in advance

gfullage · ‎12-30-2004

On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.

On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:

aaa authorization config-commands

Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

View solution in original post

gfullage · ‎12-30-2004

On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.

On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:

aaa authorization config-commands

Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.