Solved: ACS - configure shell commands authorization to work under confi

laviel · ‎09-23-2012

Hi everyone,

I'm trying to configure a shell commnds set such that all commands (including under conf t mode) will be allowed, except for administrative commands, such as write, copy, admin, format etc.

It's been working for (most) priviliged mode commands (such as write and copy) but has been unsuccessful for any command under conf t mode. It's important in order to prevent the users from performing 'do write' and 'do copy run start' commands, for example.

Here's the input of the shell command authorization set (Partial_access):

Unmatched Commands: permit

Command list:

admin

copy

delete

do

format

write

Group settings (relevent):

V - Shell (exec)

V Privilege level - 15

Shell Command Authorization Set

Assign a Shell Command Authorization Set for any network device - Partial_access (group's name)

I'm using CiscoSecure ACS version 4.2 (0)

Thanks,

Lior

hkhrais · ‎09-23-2012

Hi Lior ,

Please make sure that you typed under the AAA client the following commands:-

AAA authorization config-commands

Please post your AAA client configuration via " sh run | i aaa " and if possible your privilege configuration

HTH

View solution in original post

hkhrais · ‎09-23-2012

Hi Lior ,

Please make sure that you typed under the AAA client the following commands:-

AAA authorization config-commands

Please post your AAA client configuration via " sh run | i aaa " and if possible your privilege configuration

HTH

laviel · ‎09-23-2012

Hi Hussam,

Thanks a lot! That solved the problem

Lior

ACS - configure shell commands authorization to work under config mode (conf t)