Re: Command Authorization in ACS

waridtel.com · ‎12-14-2006

Hi,

Can anybody tell me how can I permit only ping command to a group in ACS. What is the actual statement that I want to add in command authorization sets.

premdeep.banga · ‎12-14-2006

Hi,

Please refer the attachment for detail.

After you have gone through the attachment, Being specific to your question,

ping---------------(Check the check box for "Permit unmatched Args")

Regards,

Prem

waridtel.com · ‎12-15-2006

Hi,

Thanks a lot.

premdeep.banga · ‎12-15-2006

Do rate if that helps.

;)

Regards,

Prem

royalblues · ‎12-24-2006

Hi Prem,

Can you let me know how can i restrict a group from adding a route. I have the following configured on the ACS under shell authorization

configure ......permit terminal

interface ......permit fastethernet (permit Unmatched arg)

show............permit vlan

switchport......permit access &

permit vlan

With the above configuration iam still able to add a route to the config

Also i would like to know the wildcard to be used for enabling all the fastethernet or Ge ports

thanks in advance

Narayan

Vivek Santuka · ‎12-26-2006

Narayan,

This command will help in restricting the route addition :-

aaa authorization config-commands

Command authorization does not apply to configuration mode automatically. So we need to enable it using the above command.

royalblues · ‎12-26-2006

Hi Vivek,

I had the command in my configuration.

Actually i had missed the command

aaa authorization commands 15 default group tacacs+ local

Thanks

Narayan