Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
1
Replies

ACS 5.1 command authorization in config mode

Calin C.
Level 5
Level 5

‎12-19-2010 11:41 PM - edited ‎03-10-2019 05:39 PM

Hello all,

I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).

Before I've search this forum and found 2 posts:

https://supportforums.cisco.com/thread/2041611
https://supportforums.cisco.com/message/3057298

that suggest to have the AAA configured with:

aaa authorization config-commands

I already have this command and it still doesn't work. Actually my entire AAA config looks like this:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Did I miss something? Do you have any suggestion for me?

Thank you!

Calin

Labels:
0 Helpful
1 Reply 1

Yudong Wu
Level 7
Level 7

‎12-20-2010 02:33 PM

can you run a "debug aaa authorization" to see what happens?

0 Helpful
Customers Also Viewed These Support Documents