Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
1
Replies

ACS-Shell commmand author. problem

d.sasso
Level 1
Level 1

‎01-18-2005 10:29 AM - edited ‎03-10-2019 01:58 PM

I have setup shell commands for the helpdesk to do basic viewing of the router. Is there a way to limit what they can do in config mode and how do i configure that on the ACS. For instance if I want the helpdesk to enable a port on a 3560 switch.

This is in the test router:

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

Thanks in advance

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎01-18-2005 07:04 PM

"aaa authorization commands ....." doesn't include authorization for commands done in config mode. To enable that add the command:

aaa authorization config-commands

Then add the "set port enable" (or whatever) command into the TACACS authorization profile on the ACS server just like any other command. Note that you'll have to allow them to get into config mode in the first place though.

0 Helpful
Customers Also Viewed These Support Documents