cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
859
Views
0
Helpful
2
Replies

Restrict commands with ACS

pj0503311
Level 1
Level 1

We have a service account in our ACS that will need to do a show running-config in our devices and nothing else. I've been trying to have ACS dictate what commands the account can and cannot use but it seems I can't get the system to lock down the user's permissions without having those permissions explicitly defined in a custom privilege level in each device. Which, with hundreds of devices, isn't exactly feasible.

Anyone have any suggestions?

2 Replies 2

This requires configuration on both ACS, and the target devices.

On your routers, switches, etc., configure exec authorization, for example:

aaa authorization exec default group tacacs+ local

On ACS, create a command set, then associate it with the corresponding authorization policy. In the command set, list the commands you wish to allow (in this case "show running-config"), and disallow all other commands (it's a checkbox in the same config screen).

Javier Henderson

Cisco Systems

Ok, we already have AAA configured in this manner on all devices.

But even after defining explicit commands in the command set I can still log in with the account in question and perform any command I want despite what I told ACS to authorize.

It would seem that ACS is letting the account log in then not dictating what it can or cannot do past that. I've also tried creating a whole new authorization policy specifically for this user account and it didn't make a difference.