02-25-2016 07:58 AM - edited 03-10-2019 11:31 PM
Hello, we have many Cisco switches and routers working with tac_plus unix server. All is fine except we have been tasked to allow certain users into our devices for read only access. This is working however we want to restrict the user from typing enable at the prompt.
Is this even possible? Or is the default behavior is to allow this command?
Thank you.
02-25-2016 08:04 AM
In order to restrict users from executing certain commands (such as enable), you will need to configure command authorization on the switches, then configure your TACACS+ server to deny that command.
Javier Henderson
Cisco Systems
02-29-2016 10:08 AM
If I recall, enable isn't a command that can be authorized. If the user has priv-lvl 15, he can use enable (privileged exec mode). Otherwise he can't, unless specifically configured by CLI.
If you wish to allow access to privileged exec mode then you should allow privilege level 15 for the shell profile and then limit using a command authorization set.
Feel free to confirm or contradict this by trial :)
03-02-2016 03:29 AM
here is how you do it.
1- create an account name "ciscotest"
2- create a group name "test" and assign the following properties:
group = regular {
cmd = enable { deny .* }
cmd = show { deny .* }
cmd = show { permit .* }
cmd = copy { permit .* }
cmd = ping { permit .* }
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
cmd = debug { permit .* }
3- assign user ciscotest to group test
now user ciscotest will not be able to get into "enable" mode. When user ciscotest types "enable", they will get a command not allowed.
Easy right?
03-02-2016 05:18 AM
Why allow any show after denying any show? Seems redundant.
Have you tried this block in tac_plus?
03-02-2016 05:43 AM
Ofcourse,
I've been using it for the past 10 years.
c3945>en
% Access denied
c3945>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide