cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

651
Views
0
Helpful
5
Replies
kerim mohammed
Participant

couldn't get command set working on acs5.3

Hi,

I configured, command set on ACS5.3 so that it allows to run the show command only. The corresponding shell profile is set to privelege level 15. I couldn't get it working. users are still able to run any command. how do i get this working.

Thanks,

Kerim

1 ACCEPTED SOLUTION

Accepted Solutions

You are missing the "authorization" commands.

For example depending on what you need to check with ACS you will have to use:

aaa authorization command 15 default group tacacs+ if-authenticated

aaa authorization command 1 default group tacacs+ if-authenticated

aaa authorization command 0 default group tacacs+ if-authenticated

The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.

Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.

Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.

Let me know how it goes.

View solution in original post

5 REPLIES 5
mauzamor
Beginner

Hi there,

Which is your current AAA configuration in the client? Type "show runn | i aaa" and paste here the output. Also share with us a screenshot of your Command Set and Authorization rule.

this is the command set:

Authorization: the last one

Authorization profile (shell profile):

thanks,

Let me know if you need more info.

You are missing the "authorization" commands.

For example depending on what you need to check with ACS you will have to use:

aaa authorization command 15 default group tacacs+ if-authenticated

aaa authorization command 1 default group tacacs+ if-authenticated

aaa authorization command 0 default group tacacs+ if-authenticated

The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.

Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.

Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.

Let me know how it goes.

View solution in original post

thanks! that took care of it.

Glad to hear the good news.

Have a nice day.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel