i might be missing something in the aaa config.

here is the aaa conf

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login CON local
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
aaa accounting exec default start-stop group tacacs+

Hello

Add another command as " aaa author command 0 default group tac if-authen none " and see if it works. Otherwise, send the screenshot of tacacs server, where you configure the command set.

thanks

Devashree

thanks for the replies.

actually the first option is impossible to do it in my case since i have arround couple of hundreds of equipement to modify and i was trying to do it with ACS because of this.

the second option worked well for me i gave them privilege 15 and applied the read only command set on that rule.

the mistake i was doing is that i created a privilege 6 and i set the command set to allow a privilege 15 commands in it which didn't work.

Thank's alot

Hi Chahine75,

Did your second solution actually give to your users the right to only see the commands that you specified on the comment set?

Thanks,

aleruri

The users can see all the commands but they will only receive authorization to run the commands you specify in the command set.  You also need to have your aaa configured to do command authorization against your ACS for this to work properly.

Thanks Greg Cover,

That sort of worked.

Is there any way to link the Role-based CLI views created in the AAA client to the user created in the ACS server? I know that you could do that in ACS 4.2 by using the “cli-view-name” attribute.

What I have in mind is to login with some user and that the ACS 5.2 server links this user with a view previously created in the AAA client:

Something like:

username: cenetacs
password:

SOLAR_WINDS_TEST#?
Exec commands:
  <1-99>  Session number to resume
  copy    Copy from one file to another
  enable  Turn on privileged commands
  exit    Exit from the EXEC
  show    Show running system information

SOLAR_WINDS_TEST#

Has anyone know how to achieve this?

Typing the command "enable view something" is not an option for us.

Thanks,

The only way I know to do that would be to create a custom privilege level in your device IOS configuration and associate the commands to that privilege level that you want users of that privilege level to be able to see/use.  You would then have to define a shell profile in the ACS for that privilege level and associate it in an authoriztion rule.  I think that would accomplish what you are looking to do.

Greg

Thanks Greg,

So what you are saying is that you  are not aware of a way to link the role-based CLI view created on the AAA client device to the user on the ACS server?

Because as you probably know the role-based cli view configuration allows you to create a view and associate just a limited set of commands to that view, without having to create a custom privilege level in your device.

Thanks again.

aleruri

That's correct Alejandro, I'm not aware of a way to do that in ACS 5.2.  If someone does know how to do it hopefully they will share it with us here.  Perhaps you should start a new post on your issue specifically and see what kind of answers you get.

~GC

Thanks Greg,

your posts have been really helpful.

I will create a new trend with that question.

Cheers,

aleruri

hi,

the users will see all the commands in the privilege 15  if you gave him the privilege 15 in your ACS but will only be allowed to execute the commands permitted in the command set that you defined.

RPWAN1#conf ?
  confirm            Confirm replacement of running-config with a new config file
  memory             Configure from NV memory
  network            Configure from a TFTP network host
  overwrite-network  Overwrite NV memory from TFTP network host
  replace            Replace the running-config with a new config file
  terminal           Configure from the terminal
 

RPWAN1#conf t

Command authorization failed.