Solved: Re: TACACS+: How do you limit the 'show ?' output for a user?

Giovanni Ceci · ‎08-05-2010

Hello,

On my TACACS+ server, I would like to set up a user so that when they do a 'show ?' command, it will only list the commands that they are allowed to do, instead of the entire list. I searched all over and couldn't find any info on this. Does anyone know if this is possible? If so, how do you do it?

Thanks,

neocec

CY1234 · ‎08-21-2010

privilege configure level 5 ip route
privilege exec level 5 configure

aaa new-model
!
!
aaa authentication login t-authen group tacacs+ local
aaa authentication login no-authen none
aaa authorization console
aaa authorization exec t-author group tacacs+
aaa authorization exec no-author none
aaa authorization commands 5 t-author group tacacs+
aaa authorization commands 15 t-author group tacacs+

ACS config:

shell command authorization set

Give name

Add show on the left column and add the show commands you would like to permit on the right colum

Go to the user Advanced TAcacs settings MAx priv for any client set to 5

Under Tacacs settings Check the Shell (exec) check box

privilege level 5

Assign the shell command authorization set

View solution in original post

CY1234 · ‎08-21-2010