Solved: ACS 5.3 Shell Command Set

siangyankhoo · ‎05-31-2012

Hi all,

Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets no able to deny. Example like below:

i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.

the command i issue at below:

deny enable secret -> working

deny no enable secret -> no working

Anyone got idea to make the no working argument become working?

mauzamor · ‎05-31-2012

Hi there,

I just did a test in my ACS using your requirements and it worked fine, check below my configuration it may help you:

I am using the following AAA commands:

Switch(config)#do sh run | i aaa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa session-id common

Switch(config)#

Rate if it helps!

mauzamor · ‎05-31-2012