Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1801
Views
10
Helpful
4
Replies

Configuring ACS 5.x for Restricted Dev Admin Command Set

Go to solution
Mike Masalla
Level 1
Level 1

‎04-26-2013 05:47 AM - edited ‎03-10-2019 08:22 PM

Hi every one there,

I am not new to ACS business, but this is the first time I am about to configure ACS 5.3 to authorize user group from doing some commands in the "configure mode" while permitting them some other commands. As example, I want to deny them from doing "reload" but give them access to configure "time-range", what happen is, they are denied access to "reload" on the exec mode, but once they went into "configure" mode, they would be able to "do reload"

I mean to say, is it possible to manage the subsequent commands to "configure terminal" ?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-26-2013 02:37 PM

Mike,

If this is IOS then make sure we have this command added,

aaa authorization config-command

This will authorize all commands executed in config t mode.

Regards,

~JG


Do rate helpful posts

View solution in original post

4 Replies 4

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-26-2013 02:37 PM

Mike,

If this is IOS then make sure we have this command added,

aaa authorization config-command

This will authorize all commands executed in config t mode.

Regards,

~JG


Do rate helpful posts

Go to solution
Vinay Sharma
Level 7
Level 7
In response to Jagdeep Gambhir

‎05-03-2013 03:17 AM

Thanks for this info :-) 5+

Thanks & Regards
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎04-26-2013 10:10 PM

Mike,

Like Jagdeep replied above, if you use that command on the IOS device (switch or router) then once you are on privileged mode you'll have all commands permitted.

You have to configure the ACS however to restrict access to the reload command for users in the enable mode.

This example will help you if you don't have an idea about the configuration already:

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Mike Masalla
Level 1
Level 1

‎04-27-2013 03:39 AM

Thanks Jagdeep, yes I am applying the commands to an IOS device. I have added your magic aaa authorization config-command  to IOS device aaa policy and tested it, looks great. Thank you very much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents