I am trying to deny the show tech-support command using Cisco Secure ACS command authorization sets (picture included). All other deny commands are working (is show running-config) but no matter what I do the show tech is un-successful. Any ideas?
jg -I am testing and I think you have it wrong. What I find is that if the TACACS server becomes unavailable an authenticated user has access to any commands. See for yourself.02:16:01: tty1 AAA/AUTHOR/CMD (3085690506): Port='tty1' list='' service=CM...
So are you saying that the if-authenticated keyword essentially bypasses command authorization and as long as a user is able to authenticate they can use all commands?
BINGO!!! That was it. Thanks ansalaza.I had the following commands:aaa authorization exec default group TACACS_ADMIN local if-authenticatedaaa authorization commands 15 default group TACACS_ADMIN if-authenticatedbut notaaa authorization commands 0 de...
JG,No hits on the failed attempts.There is no output from the debug when issuing the show tech. However check out the attached xls which shows the actual commands that are being sent after issuing the show tech.If I issue those commands separately (s...