02-07-2011 04:39 AM - edited 03-10-2019 05:48 PM
Hi ,
I have tried to Create a restricted Access Shell Command Authorization Set on ACS as told on the Cisco Url
After I applied the same on a User Group I found the users on the group have complete access after typing the conf t on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and let me know any thing need to be done specially from My Side
Thanks in Advance
Regards
Vineeth
02-08-2011 04:38 PM
You have missed this command in your configuration
aaa authorization config-commands
Rgds, Jatin
Do rate helpful posts~
02-09-2011 11:51 PM
Hi Jatin ,
first of all Thank you very much . It startted working after aaa authorization config-commands
here I was trying to achive one specfic thing .
I want to stop the following commands on ACS “switchport trunk allowed vlan 103” . I only want allow “add” after “vlan” and block rest all arguments
But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
Thanks and Regards
Vineeth
02-10-2011 02:50 AM
In order to achieve the required result of denying the command:
"switchport trunk allowed vlan
Command would be : switchport
Add this argument for the switchport command deny trunk allowed vlan 103
And check the box which says "permit unmatched argument".
This way all other switchport commands will be allowed by default except the one which we have denied.
Rgds, Jatin
Do rate helpful posts~
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide