Solved: Re: How to restrict user access to Exec shell in CSACS v5.1

gamorr50265 · ‎04-07-2010

Hi;

I am trying to give a user access to a single user mode command on a switch (show interfaces). I want to deny him from entering Exec mode altogether. The switch is configured as:

aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated

In CSACS v5.1 the user's shell profile has a default privilege of 1 and a maximum privilege of 1. His command set permits show interfaces and I explicity deny Show (no arguments) and Enable (no arguments). In user mode everything works fine; the user can only execute Show Interfaces. But, he is able to enter Enable to get to Exec mode, and when in exec mode he can enter any exec-level command (but user level commands are still restricted).

I thought just configuring his maximum privilege at 1 would have worked. Can anyone help out?

Thanks! Glenn

Jagdeep Gambhir · ‎04-07-2010

Glenn,

You need to put this command

aaa authorization commands 15 default group tacacs+ if-authenticated

Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.

Regards,

~JG

Do rate helpful posts!

View solution in original post

Jagdeep Gambhir · ‎04-07-2010