cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

575
Views
0
Helpful
5
Replies
Highlighted
Participant

couldn't get command set working on acs5.3

Hi,

I configured, command set on ACS5.3 so that it allows to run the show command only. The corresponding shell profile is set to privelege level 15. I couldn't get it working. users are still able to run any command. how do i get this working.

Thanks,

Kerim

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

You are missing the "authorization" commands.

For example depending on what you need to check with ACS you will have to use:

aaa authorization command 15 default group tacacs+ if-authenticated

aaa authorization command 1 default group tacacs+ if-authenticated

aaa authorization command 0 default group tacacs+ if-authenticated

The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.

Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.

Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.

Let me know how it goes.

View solution in original post

5 REPLIES 5
Highlighted
Beginner

Hi there,

Which is your current AAA configuration in the client? Type "show runn | i aaa" and paste here the output. Also share with us a screenshot of your Command Set and Authorization rule.

Highlighted

this is the command set:

Authorization: the last one

Authorization profile (shell profile):

thanks,

Let me know if you need more info.

Highlighted

You are missing the "authorization" commands.

For example depending on what you need to check with ACS you will have to use:

aaa authorization command 15 default group tacacs+ if-authenticated

aaa authorization command 1 default group tacacs+ if-authenticated

aaa authorization command 0 default group tacacs+ if-authenticated

The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.

Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.

Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.

Let me know how it goes.

View solution in original post

Highlighted

thanks! that took care of it.

Highlighted

Glad to hear the good news.

Have a nice day.