Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
3
Replies

ACS 4.1 Shell command Authorization set - VLAN configuration

Go to solution
Richard Rowe
Level 1
Level 1

‎03-26-2014 07:51 AM - edited ‎03-10-2019 09:34 PM

I am looking to limit certain users on which VLANs they can set on switch ports.  I have the following configured on the command "switchport":

 

deny access vlan 11
permit access vlan 10
permit access vlan 13
permit access vlan 40
permit access vlan 50
permit access vlan 60
permit access vlan 101

 

But it is still allowing "switchport access vlan 11" to be a viable command on that group.  I do not have "permit unmatched args" checked and I have the "Unmatched Commands" set to deny.  It's as if the "switchport access" portion is being acknowledged but the rest is ignored.  Can you only put a single argument per command?  If that is the case, I tried adding a command of "vlan" and limiting it similarly to deny 11 and allow the rest, but that also didn't work.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-26-2014 08:21 PM

Since you already have "unmatched commads" set to DENY and "permit unmatched args" is uncheceked than you don't need explicit "deny access vlan 11". Can you remove it from there and try again.

In case it doesn't work, please get following information:

debug aaa authen

debug aaa autho

debug tacacs

Login to ACS > reports and activities > tacacs administration > check what format of the command coming there.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-26-2014 08:21 PM

Since you already have "unmatched commads" set to DENY and "permit unmatched args" is uncheceked than you don't need explicit "deny access vlan 11". Can you remove it from there and try again.

In case it doesn't work, please get following information:

debug aaa authen

debug aaa autho

debug tacacs

Login to ACS > reports and activities > tacacs administration > check what format of the command coming there.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful

Go to solution
Richard Rowe
Level 1
Level 1
In response to Jatin Katyal

‎03-27-2014 04:54 AM

Ahh gezz, I found the problem after doing the debugs - some of my AAA configuration was missing from the particular switch I was having an issue with.

Thanks for the reply though.  Wouldn't have known the right debugging to try so that helps for future troubleshooting.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Richard Rowe

‎03-27-2014 06:57 AM

No worries. Keep posting.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful
Customers Also Viewed These Support Documents