Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


acs 5.2 command sets permit all commands except...

I have everything working on a new 5.2 ACS but:

I can only make a command set that permits things and denies all.

I thought with the check box "                                                             Permit any command that is not in the table below" one

could allow all and specifically deny commands.

I could add for instance:

Check "                                                             Permit any command that is not in the table below"

deny conf

deny set

and that would allow the user to do all commands except for conf and set.  But it

doesn't seem to adminstratively block it, it allows them to still "conf" for instance.

Yet if I :

Uncheck "                                                             Permit any command that is not in the table below"

and say

permit show

permit exit


Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.

I know I am in the right command set because the changes I make are reflected immediately.

Can someone test the "Permit any command that is not in the table below' and tell me if it works?  I can

make it work with the unchecked box, sure, but it would be nice to get it to work.

Yudong Wu
Rising star

If it is command in config mode, you might need to enable "authorization config-commands" on your Cisco router/switch.

If I remember correctly, this command is disabled by default, so the command in config mode won't be sent to ACS for authorization.


The example says I should be able to put that at the end.  However when I paste it

in, it always goes to the top:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 groups group tacacs+ none

I don't know if that is the problem, but right now it exhibits the same

behaviour, that the table should be allowing things which should be


Is the a trick to get it to go after "aaa authorization commands" or does it matter?

Okay figured it out.

I was using the short name like "conf" for configure.  Except the parser obviously wants

the whole name "configure", because that is what is returned back in tacacs.

That makes sense, although a note in the docs say how the commands are matched or

if regular expressions can be used would be nice.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel