06-10-2011 04:30 AM - edited 03-10-2019 06:09 PM
I am trying to create a user so that i can provide him only to run show commands nothing else.
1) Created a user in ACS
2) Create Shell command Autorization Set - ReadOnly
Unmatched Commands - Deny
Commands Added
show
exit
3) Created a group - HelpDesk with the following TACACS+ Settings
Shell (exec) is checked
Priviledge level is check with 15 as the assigned level
Assign a Shell Command Authorization Set for any network device - selected
ReadOnly - shell command autorization set seleted
I have configured following on my router
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
But still user can run config t and other commands.Some one help me how to fix this
Solved! Go to Solution.
06-10-2011 05:59 AM
Hi,
I am trying to figure what might be the case. Hence asking you the question.
Which option is checked in the
is it Group?
The configruation seems fine to me. Just for one more configuration can you please check if the configuration is as per the link:
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-10-2011 04:38 AM
Hi,
Can you check the user authorization profile? is it inherited from the group?
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-10-2011 04:42 AM
Sorry i am bit new where can i check
Can you check the user authorization profile?
You mean
Group to which the user is assigned:
If that is the case we have assigned to correct group
06-10-2011 05:45 AM
hi,
yes. So does the user inherit the authorization profile from the group or it does not?
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-10-2011 05:50 AM
Thanks for your help
So does the user inherit the authorization profile from the group or it does not?
Yes,But as i told before Shell command Autorization Set is not working and user can access conf t command.I only want to use them show commands which i have configured (explained in first post)
06-10-2011 05:59 AM
Hi,
I am trying to figure what might be the case. Hence asking you the question.
Which option is checked in the
is it Group?
The configruation seems fine to me. Just for one more configuration can you please check if the configuration is as per the link:
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-10-2011 06:01 AM
is it Group?
Yes it is
The same link i followed for my config setup
06-10-2011 07:04 AM
hmmm.. Ok. So what do the TACACS Administration logs say when you log in and try the "config t" command ? i.e. reports and activity > Tacacs administration > active.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-12-2011 08:38 AM
Looks like user is not getting mapped with the respective group or user is also configured for shell command authorization set and taking precedence over group.
Run the following debugs on the IOS device
debug tacacs
debug aaa authen
debug aaa autho
term mon
Run "config t" command, on the ACS logs look for the group you are getting mapped and match with the group name you want it to map with.
Rgds, Jatin
Do rate helpful posts-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide