cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

845
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

ACS - configure shell commands authorization to work under config mode (conf t)

Hi everyone,

I'm trying to configure a shell commnds set such that all commands (including under conf t mode) will be allowed, except for administrative commands, such as write, copy, admin, format etc.

It's been working for (most) priviliged mode commands (such as write and copy) but has been unsuccessful for any command under conf t mode. It's important in order to prevent the users from performing 'do write' and 'do copy run start' commands, for example.

Here's the input of the shell command authorization set (Partial_access):

Unmatched Commands: permit

Command list:

admin

copy

delete

do

format

write

Group settings (relevent):

V - Shell (exec)

V Privilege level - 15

Shell Command Authorization Set

Assign a Shell Command Authorization Set for any network device - Partial_access (group's name)

I'm using CiscoSecure ACS version 4.2 (0)

Thanks,

Lior

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

ACS - configure shell commands authorization to work under confi

Hi Lior ,

Please make sure that you typed under the AAA client the following commands:-

AAA authorization config-commands

Please post your AAA client configuration via " sh run | i aaa " and if possible your privilege configuration

HTH

View solution in original post

2 REPLIES 2
Beginner

ACS - configure shell commands authorization to work under confi

Hi Lior ,

Please make sure that you typed under the AAA client the following commands:-

AAA authorization config-commands

Please post your AAA client configuration via " sh run | i aaa " and if possible your privilege configuration

HTH

View solution in original post

Cisco Employee

ACS - configure shell commands authorization to work under confi

Hi Hussam,

Thanks a lot! That solved the problem

Lior