Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2550
Views
5
Helpful
3
Replies

ACS Shell Command Authorization Set + restricted Access

vineethmohan
Level 1
Level 1

‎02-07-2011 04:39 AM - edited ‎03-10-2019 05:48 PM

Hi  ,

I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side

Thanks in Advance

Regards

Vineeth

Labels:
Preview file
81 KB
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-08-2011 04:38 PM

You have missed this command in your configuration


aaa authorization config-commands


Rgds, Jatin



Do rate helpful posts~



~Jatin

vineethmohan
Level 1
Level 1
In response to Jatin Katyal

‎02-09-2011 11:51 PM

Hi Jatin ,

first of all Thank you very much . It startted working after aaa authorization config-commands

here I was trying to achive one  specfic  thing .

I want to stop  the following commands  on ACS switchport trunk allowed vlan 103” . I only want allow “add  after “vlan” and block rest all arguments

But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands

Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .

Thanks and Regards

Vineeth

Preview file
174 KB
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to vineethmohan

‎02-10-2011 02:50 AM

In order to achieve the required result of denying the command:


"switchport trunk allowed vlan "


Command would be :                                                 switchport

Add this argument for the switchport command            deny trunk allowed vlan 103

And check the box which says "permit unmatched argument".

This way all other switchport commands will be allowed by default except the one which we have denied.



Rgds,  Jatin



Do rate helpful posts~

~Jatin
0 Helpful
Customers Also Viewed These Support Documents