Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
3
Replies

ACS 5.5 Group Authorization

Sergio_Garcia
Level 1
Level 1

‎05-28-2018 02:49 AM - edited ‎02-21-2020 10:57 AM

Good morning people,
 
I need a help in what it is, Authorization of commands for certain groups in ACS is the scenario below:
 
I have two groups with privilege level 15, namely:
 
ACS_TACACS_NOC and ACS_TACACS_OPER,
 
- For the ACS_TACACS_OPER Group you have full access to execute all the commands on the router / swhitch.
 
- For the ACS_TACACS_NOC Group, I only want it to have access via the configure terminal command, the Interface sub-command, and within the syntax of the Interface subcommand, for example Interface gi0 / 0, is only allowed to execute the following commands:

 shutdown
- No shutdown,

Scenario that should occur - Permission:

Router # configure terminal
Router (config) #interface gi0 / 0
Router (config-if) #shut
Router (config-if) #no shut

Scenarios that should not occur - denial:

Router (config) #interface gi0 / 0
Router (config-if) # description xxxxx
Authorizaton failed

Or

Router (config) # router ospf | bgp | or any other command
Authorizaton failed.

 
That is, the remaining commands are denied within the configuration mode implicitly.
 
Is it possible to restrict in this way? If so, how do I do it?
 
thank you.
 
Sérgio Garcia
Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎05-28-2018 05:41 AM

Hi

 

First of all, in your authorization policy, you need to uncheck the box "Permit any command that is not listed below" which means all commands not configured will be denied.

 

Then you can add permit for command interface without any arguments. If you want to specify only specific interfaces, you can add a regex argument like GigabitEthernet 0/[0-3] if you want to give access to interface g0/0, g0/1, g0/2 and g0/3.

Then you can add a line with permit shut and another with permit command no and argument shut.

 

After building up this authz policy, commands like router [ospf|bgp|...], description aren't present then no authz granted for those.

 

Thanks

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Sergio_Garcia
Level 1
Level 1
In response to Francesco Molino

‎05-28-2018 06:45 AM

Hi, Francesco Molino

 

Thanks for help, i will try do that.

 

Sérgio Garcia

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Sergio_Garcia

‎05-28-2018 04:03 PM

You're welcome. Let me know your tests results

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents