cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1903
Views
0
Helpful
6
Replies

ACS 5.2 Command set issue

Angus Bishop
Level 1
Level 1

HI ,

I had insatalled the ACS 5.2 on Vmware .

As per my requirement i need to configure a user to restricted privilege so that he should be able to execute only the below commands on the switch .

Show ver

Show interfaces

Show ip Interface Brief

Configure terminal

Interface <interface name >

Shutdown

No shutdown

The users should not be authorized to execute any other commands than above listed one .

After the configuration i was not able to restrict the config mode commands . Once the user is  authoized for  Configure terminal access  he will have full access on the device  .

Please let me know how to configure the command set only to allow  interface access and he should be able to apply Shutdown and No shutdown command .

Please find the attached command set  screen shot . ( I tried disabling IP Routing command but the same was getting authorized )

Regards,

Angus

6 Replies 6

zhenningx
Level 4
Level 4

Did you also configure the appropriate aaa commands on the switch? Please paste the "show run | in aaa" output from the switch.

d1pol01978
Level 1
Level 1

I'm having exactly the same problem:

my aaa conf:

aaa new-model

aaa authentication attempts login 10

aaa authentication login default group tacacs+ local

aaa authentication login LOC line local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

Once I add permit configure terminal, user can do "conf t" and then execute ANY commands.

try to add command:

aaa authorization config-commands

it works after adding:

"aaa authorization config-commands"

I cannot exec any "config mode" commands anymore.

thanks a lot

I would like to check this command set work only for telnet but not for console ?

The IOS devices are designed to not get affected by authorization in the console port, to enable authorization in the console you need:

aaa authorization console

Make sure that you have full access from a remote connection before trying this command or you may get locked out if it's not properly configured.

Let me know if it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: