cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1953
Views
0
Helpful
2
Replies

Cisco ACS 5.3 command set guide

JohanKardell
Level 1
Level 1

Hi

I'm trying to set up a command set in Cisco ACS 5.3, I can't get i to work no mather who I try

What I'm trying to accomplish is that some users, say Bob can run every priv. level 1 command + show run, or just to specify which commands Bob will be able to run, whatever is easiest to set up.

Can someone please provide a guide or a step to step intrusctions with nescarry commands to set it up, I'm having trouble finding good guide for this..

In my switch I have the commands:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization commands 1 default group tacacs+ 

aaa authorization commands 15 default group tacacs+ <--- tried diffrent apporaches whith priv level..

(and specied a tacacs server)

is the "default" under "aaa authorization commands 1x default group tacacs+" the name of the command set?

In the ACS I have specied a Authorization group and binded it to the command set, should the user have priv 15 for this to work or priv 1?

(I have also specied a user and an identity group and specied ip ranges under "Network Devices and AAA Clients")

Not sure who to set up the command set, see below

command set.png

Thanks for any help!!!!!!!

//Johan

1 Accepted Solution

Accepted Solutions

francig2
Level 1
Level 1

IOS Configuration

These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:

aaa authorization config−commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Here we have two users that belong to two different groups.

Here are the groups

Then we will need to create two different authorization policies

Under those policy’s it will mach depending on the identity group that the user belongs to and based on that it will apply the command sets only show or allow all.

Here are the command sets

This is the command set allow all for the rule 1.

This is the only show run for the rule 2.

So basically the configuration you have under the command set is fine, you just need to separate the values.

Example:

Grant = Permit

Command = show

Arguments = ip interface brief

View solution in original post

2 Replies 2

francig2
Level 1
Level 1

IOS Configuration

These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:

aaa authorization config−commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Here we have two users that belong to two different groups.

Here are the groups

Then we will need to create two different authorization policies

Under those policy’s it will mach depending on the identity group that the user belongs to and based on that it will apply the command sets only show or allow all.

Here are the command sets

This is the command set allow all for the rule 1.

This is the only show run for the rule 2.

So basically the configuration you have under the command set is fine, you just need to separate the values.

Example:

Grant = Permit

Command = show

Arguments = ip interface brief

Thank you!!!!!

now it's working !!!!

Thanks for a great explenation!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: