Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1933
Views
0
Helpful
6
Replies

ACS 5.2 Command set issue

Angus Bishop
Level 1
Level 1

‎07-07-2011 03:23 AM - edited ‎03-10-2019 06:12 PM

HI ,

I had insatalled the ACS 5.2 on Vmware .

As per my requirement i need to configure a user to restricted privilege so that he should be able to execute only the below commands on the switch .

Show ver

Show interfaces

Show ip Interface Brief

Configure terminal

Interface <interface name >

Shutdown

No shutdown

The users should not be authorized to execute any other commands than above listed one .

After the configuration i was not able to restrict the config mode commands . Once the user is  authoized for  Configure terminal access  he will have full access on the device  .

Please let me know how to configure the command set only to allow  interface access and he should be able to apply Shutdown and No shutdown command .

Please find the attached command set  screen shot . ( I tried disabling IP Routing command but the same was getting authorized )

Regards,

Angus

Labels:
Preview file
51 KB
0 Helpful
6 Replies 6

zhenningx
Level 4
Level 4

‎07-08-2011 05:44 AM

Did you also configure the appropriate aaa commands on the switch? Please paste the "show run | in aaa" output from the switch.

0 Helpful

d1pol01978
Level 1
Level 1

‎10-25-2011 08:50 AM

I'm having exactly the same problem:

my aaa conf:

aaa new-model

aaa authentication attempts login 10

aaa authentication login default group tacacs+ local

aaa authentication login LOC line local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

Once I add permit configure terminal, user can do "conf t" and then execute ANY commands.

0 Helpful

zhenningx
Level 4
Level 4
In response to d1pol01978

‎10-25-2011 09:03 AM

try to add command:

aaa authorization config-commands

0 Helpful

d1pol01978
Level 1
Level 1
In response to d1pol01978

‎10-26-2011 01:09 AM

it works after adding:

"aaa authorization config-commands"

I cannot exec any "config mode" commands anymore.

thanks a lot

0 Helpful

kapildev.bhatnagar
Level 1
Level 1
In response to d1pol01978

‎11-28-2012 09:36 PM

I would like to check this command set work only for telnet but not for console ?

0 Helpful

mauzamor
Level 1
Level 1
In response to kapildev.bhatnagar

‎11-29-2012 05:07 AM

The IOS devices are designed to not get affected by authorization in the console port, to enable authorization in the console you need:

aaa authorization console

Make sure that you have full access from a remote connection before trying this command or you may get locked out if it's not properly configured.

Let me know if it helps.

0 Helpful
Customers Also Viewed These Support Documents