Exclude specific user from aaa authorization commands

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2015 07:08 AM - edited 03-10-2019 10:25 PM
Hi there,
I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
We use an AAA setup with Cisco ACS. On the devices we use:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
is it possible, to exclude an user, say User1, from being command authorized?
In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
We tried this with method lists in combination with ACL's on the VTY's:
line VTY 0
access-class 1 in
line VTY 1
access-class 2 in
Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
Does anyone have some tips/tricks how to handle this?
Maybe a custom attribute from the ACS?
Kind Regards
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2015 06:23 PM
Where does the user you are trying to block reside? Locally on the device, AD or in the ACS database?
Thank you for rating helpful posts!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2015 11:45 PM
We have a RADIUS backend where the user resides
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2015 10:49 AM
If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.
Thank you for rating helpful posts!
