cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1410
Views
0
Helpful
1
Replies

TACACS+: How do you limit the 'show ?' output for a user?

Giovanni Ceci
Level 1
Level 1

Hello,

On my TACACS+ server, I would like to set up a user so that when they do a 'show ?' command, it will only list the commands that they are allowed to do, instead of the entire list. I searched all over and couldn't find any info on this. Does anyone know if this is possible? If so, how do you do it?

Thanks,

neocec

1 Accepted Solution

Accepted Solutions

CY1234
Cisco Employee
Cisco Employee

privilege configure level 5 ip route
privilege exec level 5 configure


aaa new-model
!
!
aaa authentication login t-authen group tacacs+ local
aaa authentication login no-authen none
aaa authorization console
aaa authorization exec t-author group tacacs+
aaa authorization exec no-author none
aaa authorization commands 5 t-author group tacacs+
aaa authorization commands 15 t-author group tacacs+


ACS config:

shell command authorization set

Give name

Add show on the left column and add the show commands you would like to permit on the right colum

Go to the user Advanced TAcacs settings MAx priv for any client set to 5


Under Tacacs settings Check the Shell (exec) check box

privilege level 5

Assign the shell command authorization set

View solution in original post

1 Reply 1

CY1234
Cisco Employee
Cisco Employee

privilege configure level 5 ip route
privilege exec level 5 configure


aaa new-model
!
!
aaa authentication login t-authen group tacacs+ local
aaa authentication login no-authen none
aaa authorization console
aaa authorization exec t-author group tacacs+
aaa authorization exec no-author none
aaa authorization commands 5 t-author group tacacs+
aaa authorization commands 15 t-author group tacacs+


ACS config:

shell command authorization set

Give name

Add show on the left column and add the show commands you would like to permit on the right colum

Go to the user Advanced TAcacs settings MAx priv for any client set to 5


Under Tacacs settings Check the Shell (exec) check box

privilege level 5

Assign the shell command authorization set

Review Cisco Networking for a $25 gift card