Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2765
Views
0
Helpful
8
Replies

Cisco ACS 4.2 providing show commands only

Go to solution
sridhar.gogineni
Level 1
Level 1

‎06-10-2011 04:30 AM - edited ‎03-10-2019 06:09 PM

I am trying to create a user so that i can provide him only to run show commands nothing else.

1) Created a user in ACS

2) Create Shell command Autorization Set - ReadOnly

Unmatched Commands - Deny

Commands Added

show

exit

3) Created a group - HelpDesk with the following TACACS+ Settings

          Shell (exec) is checked

          Priviledge level is check with 15 as the assigned level

          Assign a Shell Command Authorization Set for any network device - selected

          ReadOnly - shell command autorization set seleted

I have configured following on my router

aaa authorization config-commands

aaa authorization commands 0 default  group tacacs+ local

aaa authorization commands 1 default  group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

But still user can run config t and other commands.Some one help me how to fix this

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to sridhar.gogineni

‎06-10-2011 05:59 AM

Hi,

I am trying to figure what might be the case. Hence asking you the question.

Which option is checked in the

Configuring a Shell Command  Authorization Set for a User

is it Group?

The configruation seems fine to me. Just for one more configuration can you please check if the configuration is as per the link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

Anisha

P.S.: please mark this thread as answered if you  feel your query is  resolved. Do rate helpful posts.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
andamani
Cisco Employee
Cisco Employee

‎06-10-2011 04:38 AM

Hi,

Can you check the user authorization profile? is it inherited from the group?

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Go to solution
sridhar.gogineni
Level 1
Level 1
In response to andamani

‎06-10-2011 04:42 AM

Sorry i am bit new where can i check

Can you check the user authorization profile?

You mean

Group to which the user is assigned:

If that is the case we have assigned to correct group

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to sridhar.gogineni

‎06-10-2011 05:45 AM

hi,

yes. So does the user inherit the authorization profile from the group or it does not?

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is  resolved. Do rate helpful posts.

0 Helpful

Go to solution
sridhar.gogineni
Level 1
Level 1
In response to andamani

‎06-10-2011 05:50 AM

Thanks for your help

So does the user inherit the authorization profile from the group or it does not?

Yes,But as i told before Shell command Autorization Set is not working and user can access conf t command.I only want to use them show commands which i have configured (explained in first post)

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to sridhar.gogineni

‎06-10-2011 05:59 AM

Hi,

I am trying to figure what might be the case. Hence asking you the question.

Which option is checked in the

Configuring a Shell Command  Authorization Set for a User

is it Group?

The configruation seems fine to me. Just for one more configuration can you please check if the configuration is as per the link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

Anisha

P.S.: please mark this thread as answered if you  feel your query is  resolved. Do rate helpful posts.

0 Helpful

Go to solution
sridhar.gogineni
Level 1
Level 1
In response to andamani

‎06-10-2011 06:01 AM

Configuring a Shell Command  Authorization Set for a User

is it Group?

Yes it is

The same link i followed for my config setup

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to sridhar.gogineni

‎06-10-2011 07:04 AM

hmmm.. Ok. So what do the TACACS Administration logs say when you log in and try the "config t" command ? i.e. reports and activity > Tacacs administration > active.

Regards,

Anisha

P.S.: please mark this thread as answered if you  feel your query is  resolved. Do rate helpful posts.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to sridhar.gogineni

‎06-12-2011 08:38 AM

Looks like user is not getting mapped with the respective group or user is also configured for shell command authorization set and taking precedence over group.

Run the following debugs on the IOS device

debug tacacs

debug aaa authen

debug aaa autho

term mon

Run "config t" command, on the ACS logs look for the group you are getting mapped and match with the group name you want it to map with.

Rgds, Jatin

Do rate helpful posts-

~Jatin
0 Helpful
Customers Also Viewed These Support Documents