Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Command Authorization Set Show Run Permissions Only

Hi All,

I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.

I have followed the instructions from

and this doesn't work as intended.

I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges!  I guess this is because I am specifying level 1 access but that's what the doc says to do.......

My config is as follows:

Cisco 2811 Router

aaa new-model

aaa authentication login defaut group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa session-id common

ACS 4.2 Config

Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it

User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1

Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.

Thanks in advance




I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place

Content for Community-Ad