cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
535
Views
0
Helpful
1
Replies

Command-set on ACS 5.1 is not getting applied properly

sidcracker
Level 1
Level 1

Hello Everyone

I have gotten into a bit of difficulty when  configuring Command sets on the ACS. I have put commands on the ACS and  configured aaa authorization commands on the Cisco Device.. It does work  but "access-list" command and other commands appear to be working even  when I have not permitted them in the command set.

This is my configuration on both the router and the ACS

ACS

PERMIT/DENY               COMMANDS               ARGUEMENT

PERMIT                              CONFIGURE           terminal

PERMIT                              SHOW                         *

PERMIT                              ping

PERMIT                              interface                    gigabit*

Now  I have made a COMMAND-SET called restrictive and applied these  commands. But still when I create an access-list on the device it works.  I have applied the correct policies and mapping the correct the device  groups and ACTIVE DIRECTORY. I am able to get hit counts whenever an AD  user logs into the Cisco device. This command set is the only issue I am  facing now.

I am assuming that I dont have to put a DENYALL at the end since that is implied.

ROUTER

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local

aaa authorization commands default tacacs+ local

tacacs-server host 1.1.1.1 key 12345


I have looked at the user guide example on the command set and it is really vague.

Please help

Thanks

1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

I think I already answered your question in the previous thread.


https://supportforums.cisco.com/message/3281729#3281729



Rgds,

Jatin



Do rate helpful posts~

~Jatin