09-22-2009 09:40 AM - edited 03-10-2019 04:41 PM
Hi !
I try to limit available command in user mode.... it does'nt work...
Exemple I had permit show command for user DSC in my ACS shared profile.
When user DSC telnet my router the authentication is validate by the same ACS. On the prompt > the DSC user is able to use all command available in that mode... all show command, ping command, etc... in the same session when I'm going in privillege mode only show command are permit. Is it possible to limit also user mode ?
Thanks a lot !
09-22-2009 09:55 AM
Hi
You need this command on the IOS device,
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
B. Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
See the attachment that explains how to set up shell command set.
Note: Giving privilege 15 does not mean that user will be able to execute all commands. Command authorization works over priv level.
=======
For user mode restriction you need this command
aaa authorization commands 0 default group tacacs+ if-authenticated
If you want do not want user to fall directly to enable mode, please uncheck priv 15 in step 4.
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide