cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1049
Views
0
Helpful
2
Replies
Highlighted
Beginner

How to restrict user access to Exec shell in CSACS v5.1

Hi;

I am trying to give a user access to a single user mode command on a switch (show interfaces).  I want to deny him from entering Exec mode altogether.  The switch is configured as:

aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated

In CSACS v5.1 the user's shell profile has a default privilege of 1 and a maximum privilege of 1.  His command set permits show interfaces and I explicity deny Show (no arguments) and Enable (no arguments).  In user mode everything works fine; the user can only execute Show Interfaces.  But, he is able to enter Enable to get to Exec mode, and when in exec mode he can enter any exec-level command (but user level commands are still restricted).

I thought just configuring his maximum privilege at 1 would have worked.  Can anyone help out?

Thanks!  Glenn

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted



Glenn,

You need to put this command


aaa authorization commands 15 default group tacacs+ if-authenticated


Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.




Regards,

~JG


Do rate helpful posts!

View solution in original post

2 REPLIES 2
Highlighted



Glenn,

You need to put this command


aaa authorization commands 15 default group tacacs+ if-authenticated


Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.




Regards,

~JG


Do rate helpful posts!

View solution in original post

Highlighted

Jagdeep;

Thanks, that worked great!