11-29-2012 08:00 AM - edited 03-10-2019 07:50 PM
Hi,
I configured, command set on ACS5.3 so that it allows to run the show command only. The corresponding shell profile is set to privelege level 15. I couldn't get it working. users are still able to run any command. how do i get this working.
Thanks,
Kerim
Solved! Go to Solution.
11-29-2012 09:25 AM
You are missing the "authorization" commands.
For example depending on what you need to check with ACS you will have to use:
aaa authorization command 15 default group tacacs+ if-authenticated
aaa authorization command 1 default group tacacs+ if-authenticated
aaa authorization command 0 default group tacacs+ if-authenticated
The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.
Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.
Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.
Let me know how it goes.
11-29-2012 08:03 AM
Hi there,
Which is your current AAA configuration in the client? Type "show runn | i aaa" and paste here the output. Also share with us a screenshot of your Command Set and Authorization rule.
11-29-2012 09:02 AM
this is the command set:
Authorization: the last one
Authorization profile (shell profile):
thanks,
Let me know if you need more info.
11-29-2012 09:25 AM
You are missing the "authorization" commands.
For example depending on what you need to check with ACS you will have to use:
aaa authorization command 15 default group tacacs+ if-authenticated
aaa authorization command 1 default group tacacs+ if-authenticated
aaa authorization command 0 default group tacacs+ if-authenticated
The previous commands means that every time a user enters a command level 15/1/0 the client will check with the ACS if these commands are permitted or not.
Also, in the Command Set you don't need to use "*" in the Argument section, just "show" under the Command section.
Remember to have a back door configured, this will avoid you getting locked out, e.g. console access.
Let me know how it goes.
11-29-2012 10:19 AM
thanks! that took care of it.
11-29-2012 10:29 AM
Glad to hear the good news.
Have a nice day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide