Hello Everyone

I have gotten into a bit of difficulty when  configuring Command sets on the ACS. I have put commands on the ACS and  configured aaa authorization commands on the Cisco Device.. It does work  but "access-list" command and other commands appear to be working even  when I have not permitted them in the command set.

This is my configuration on both the router and the ACS

ACS

PERMIT/DENY               COMMANDS               ARGUEMENT

PERMIT                              CONFIGURE           terminal

PERMIT                              SHOW                         *

PERMIT                              ping

PERMIT                              interface                    gigabit*

Now  I have made a COMMAND-SET called restrictive and applied these  commands. But still when I create an access-list on the device it works.  I have applied the correct policies and mapping the correct the device  groups and ACTIVE DIRECTORY. I am able to get hit counts whenever an AD  user logs into the Cisco device. This command set is the only issue I am  facing now.

I am assuming that I dont have to put a DENYALL at the end since that is implied.

ROUTER

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local

aaa authorization commands default tacacs+ local

tacacs-server host 1.1.1.1 key 12345

I have looked at the user guide example on the command set and it is really vague.

Please help

Thanks