Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1379
Views
0
Helpful
2
Replies

How to restrict user access to Exec shell in CSACS v5.1

Go to solution
gamorr50265
Level 1
Level 1

‎04-07-2010 10:57 AM - edited ‎03-10-2019 05:03 PM

Hi;

I am trying to give a user access to a single user mode command on a switch (show interfaces).  I want to deny him from entering Exec mode altogether.  The switch is configured as:

aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated

In CSACS v5.1 the user's shell profile has a default privilege of 1 and a maximum privilege of 1.  His command set permits show interfaces and I explicity deny Show (no arguments) and Enable (no arguments).  In user mode everything works fine; the user can only execute Show Interfaces.  But, he is able to enter Enable to get to Exec mode, and when in exec mode he can enter any exec-level command (but user level commands are still restricted).

I thought just configuring his maximum privilege at 1 would have worked.  Can anyone help out?

Thanks!  Glenn

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-07-2010 11:02 AM



Glenn,

You need to put this command


aaa authorization commands 15 default group tacacs+ if-authenticated


Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.




Regards,

~JG


Do rate helpful posts!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎04-07-2010 11:02 AM



Glenn,

You need to put this command


aaa authorization commands 15 default group tacacs+ if-authenticated


Else router will not check authorization from ACS. Commands that we issue in enable mode fall in priv 15, so that is why we need this command.




Regards,

~JG


Do rate helpful posts!

0 Helpful

Go to solution
gamorr50265
Level 1
Level 1
In response to Jagdeep Gambhir

‎04-07-2010 11:27 AM

Jagdeep;

Thanks, that worked great!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents