Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
1
Replies

ACS and AAA deny statements

benthomas
Level 1
Level 1

‎01-17-2006 03:44 AM - edited ‎03-10-2019 02:26 PM

I have 1 Windows box running ACS and four 7505 routers configured with AAA commands. Authentication is working fine on the routers via the ACS server. Now I need to deny certain commands like "DEBUG" to certain users without taking off their administrative rights. How can I achieve this?

Labels:
0 Helpful
1 Reply 1

darpotter
Level 5
Level 5

‎01-17-2006 05:57 AM

Hi

there are many ways to achieve this, but the *correct* and most scalable is to enable command authorisation on your devices.

In ACS create some groups based on the permissions levels each group should have.

In the groups enable the shell (exec) service.

At this point you can either list the denied commands for certains groups right in the group edit page itself.

Alternatively, you can created Device Command Sets in the share profiles UI. These are more flexible because inside a single group you cap map to different DCSs based on the device being managed (either by device ip or by network device group)

Its all there in the ACS docs!

Good luck.

0 Helpful
Customers Also Viewed These Support Documents