Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
2
Replies

Restrict commands with ACS

pj0503311
Level 1
Level 1

‎09-14-2016 07:29 AM - edited ‎03-11-2019 12:04 AM

We have a service account in our ACS that will need to do a show running-config in our devices and nothing else. I've been trying to have ACS dictate what commands the account can and cannot use but it seems I can't get the system to lock down the user's permissions without having those permissions explicitly defined in a custom privilege level in each device. Which, with hundreds of devices, isn't exactly feasible.

Anyone have any suggestions?

Labels:
0 Helpful
2 Replies 2

Javier Henderson
Level 4
Level 4

‎09-14-2016 07:35 AM

This requires configuration on both ACS, and the target devices.

On your routers, switches, etc., configure exec authorization, for example:

aaa authorization exec default group tacacs+ local

On ACS, create a command set, then associate it with the corresponding authorization policy. In the command set, list the commands you wish to allow (in this case "show running-config"), and disallow all other commands (it's a checkbox in the same config screen).

Javier Henderson

Cisco Systems

0 Helpful

pj0503311
Level 1
Level 1
In response to Javier Henderson

‎09-14-2016 08:36 AM

Ok, we already have AAA configured in this manner on all devices.

But even after defining explicit commands in the command set I can still log in with the account in question and perform any command I want despite what I told ACS to authorize.

It would seem that ACS is letting the account log in then not dictating what it can or cannot do past that. I've also tried creating a whole new authorization policy specifically for this user account and it didn't make a difference.

0 Helpful
Customers Also Viewed These Support Documents