permitting specified commands only

sivakondalarao · ‎01-04-2007

Hi,

We have TACACS enabled in our routers. I wanted to restrict user access to only particular commands. I am providing those commands below.

Router#term len 0

Router#sh clock

Router#sh ip int br

Router#sh env all

Router#sh int s0/0

Router#sh int s0/1

Router#ping 10.30.250.137

Router#conf t

Router(config)#int se0/0

Router(config-if)#no backup int br0/0

Router#exit

Router#isdn call int bri 0/0 22861600

Router#sh isdn a

Router#sh isdn status

Router(config)#int se0/0

Router(config-if)#backup int bri0/0

Router#sh int bri0/0

Router#sh run

Nothing more than these commands should be allowed for configuration. Can someone advice me for required configuration in Router as well as cisco ACS.

Regards

SKRAO

mesmerisor · ‎01-04-2007

1) For Authentication :

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm

2) For Authorization :

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathor.htm

Authorization can be defined either on your TACACAS+ or locally. for TACACS+ refer few other conversations, which talk about shell authorization command set. you will find what you need. and locally if you are interested for these particular commands, then, just follow the links which i gave you.

Hope that helps.

mesmerisor · ‎01-04-2007

Two more links for you.

1) http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea9.shtml --> This particular link talks about ACS. I had started a conversation earlier and i got this in reply. worth looking once.

2) to perform authorization for these many particular commands, please find the link as below, (using privilege command)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123tsr/sec_p1gt.htm#wp1141496

Hope that helps.

cheers