disabling vty autocommand menu for certain users

jcornell · ‎02-02-2016

For routers which are acting as console servers, we've currently configured the following autocommand menu

line vty 0 4
access-class vty-access in
exec-timeout 60 0
authorization exec vtymethod
logging synchronous
login authentication vtymethod
autocommand menu mgmt
transport input all

However, this causes issues with management systems which expect just an enable '#' prompt. Is there a way to configure the router to selectively not run the 'autocommand menu mgmt' based on username (the usernames that are being used by the management stations)?

Thanks,

John

Philip D'Ath · ‎02-03-2016

I have not tried this, but what about putting the autocommand on the users, not the lines? For example:

username <username> autocomannd menu mgmt

Then just don't put the autocommand on the users who you want to have "normal" access.

You may need a "aaa authorization" command or similar to allow this. Not sure.

jcornell · ‎02-03-2016

The issue is that we have around 150+ users who would need need to have that individual command added, but just 5 applications that don't need the menu. It would be nice if the there was an override for those 5 application users. And we do use TACACS+ with 'aaa authorization'.

Philip D'Ath · ‎02-03-2016

Aha! If you are using TACACS+ you can probably create a group and a profile, and automatically add it when those 150 users log in.

jcornell · ‎02-03-2016

I thought that might be the answer. Now I would like to see if there are hints on how do setup this type of profile in Cisco's ACS product. We already have the AD groups setup and tied to our aaa authorization profile. We would just need how to pass that autocommand menu option upon console server login.

Philip D'Ath · ‎02-03-2016

I'm not sure how to do that. It might be best to move this thread into the Security/AAA forum.