Shell Command(session) Authorization in ACS 4.2

Hi, All~
Our customer is using ACS 4.2.
They would like to restriction shell command(session) in ACS 4.2.
For examples,
MSFC => 'session slot [slot #] processor [processor #]' => Command authorization failed.
Is this possible to deny for shell 'session' command?
Have a nice weekend.
Thanks.
Bruce Lee

Bruce:
If you are running Cisco IOS then yes it is possible.
AFAIK the MSFC runs on 5600 hardware and that runs IOS so I think it is possible for you
look into this example
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
please rate if useful and let us know if you got any problem with the configuration.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Similar Messages

Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi

ACS - Shell Command Authorization Sets

Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
Steve

Thanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve

Shell Command Authorization Sets ACS

hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
but still all my user can use all the commands
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R3
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
clock rate 2000000
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
interface Serial0/2
no ip address
shutdown
clock rate 2000000
interface Serial0/3
no ip address
shutdown
clock rate 2000000
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
tacacs-server host 192.168.20.2 key cisco
control-plane
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
end
i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands
heres my share profile
name-------------admin jr
Description---------for jr admin
unmatched commands------- ()permit (x)deny
permint unmatched args()
enable
show -------------------------- permit version<cr>
permit runnig-config<cr>
then i add this profifle to group 2 and then i add my user to the group 2
then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck

"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi

ACS shell command authorization help

Hello,
I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
Thanks

Two things could be wrong
1) You don't have the following command on your AAA Client:
aaa authorization config-commands
2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards
Farrukh

Specific shell command authorization - ACS/TACACS+ on 2900XL

Hello all -
I've been struggling with one particular issue here. I'm running ACS 3.2, and trying to set up secure access to my switches. I have "grad students" from my university that I want to allow to perform specific functions, i.e. change a port's vlan, and write to memory, etc.
I successfully set up the authorization piece, and my test account can log in. I successfully assign a privilege level of 7 also, which gives me basic look rights by default. Accounting is also working, showing the connections and commands I enter.
What I want to do is use ACS to enable a specific group of commands, so I can change them if needed in one place (ACS) and not have to touch 400+ devices. ACS says it can do it, but it doesn't seem to work. I created a Shell Command Group and specififed the commands, no luck. Even if I modify the "Unmatched commands" toggle to "permit" (which should allow any commands, right?) it still doesn't allow any commands. I added the Shell Command group to the group the students are members of...
My AAA commands are as follows:
aaa new-model
aaa authentication login default local group tacacs+
aaa authorization exec default local group tacacs+
aaa authorization commands 7 default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Any ideas? Any thoughts?
Thanks!
Michael
QU.edu

Hey Steve -
I tried your recommendation, and it works, kinda. When I turn on that command, after authentication, I get dropped in at Privlege 15 and have full access to commands.
Unfortunately, this is different than the telnet access in a key way; when I telnet in, I get Priv-15, but I'm restricted on commands I can do based upon ACS authorization of specific commands. When I console in, I have full access to all commands, with no restrictions.
Additionally, my console access has two level security, with a login password (to Priv-1) and an enable password (to Priv-15). When I use the "Privilege level 15" command, it bypasses the enable password for the local accounts and allows full access with just the login password.
Maybe I'm asking for too much. (And I appreciate your patience with me!) What I want on the console port is this:
1. A username prompt
- this is fine
2. A password prompt
- this is fine also
3. User name & PW are authenticated against ACS
- this works
4. If user is a valid ACS user, they should receive Priv-15 rights and be restricted by the commands they are authenticated to use in ACS
- this does not work. They only receive Priv-15 if I use "privilege level 15", but they are not restricted at all to certain commands. (They _are_ restricted under telnet however.)
5. If a user is not a valid ACS but a local account exists, the user gets dumped to a Priv-1 prompt, and must enter the enable to get to Priv-15. (This also is how it works under telnet.)
Sorry if this really confusing, it's difficult to explain in a forum. I'm basically looking for the same behavior from a console connection as from a telnet connection; I'm not sure why it's so difficult to do...
Michael

ACS Shell Command Authorization Set + restricted Access

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi ,
I have tried to Create a restricted Access Shell Command Authorization Set on ACS as told on the Cisco Url
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
After I applied the same on a User Group I found the users on the group have complete access after typing the conf t on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and let me know any thing need to be done specially from My Side
Thanks in Advance
Regards
Vineeth

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi Jatin ,
first of all Thank you very much . It startted working after aaa authorization config-commands
here I was trying to achive one specfic thing .
I want to stop the following commands on ACS “switchport trunk allowed vlan 103” . I only want allow “add” after “vlan” and block rest all arguments
But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
Thanks and Regards
Vineeth

ACS SE - Shell Command Authorization

Hi Sir,
I have deployed an ACS Solution Engine 4.1(1) Build 23 to provide AAA services for routers/switches login.
I'd like to create a user group that is restricted to only "show" commands when the users log in to the network devices.
I have done the following steps:
(1) Shared Profile Components -> Shell Command Authorization Sets
Added a new set. Call it NOC. I added the command "show". For "Unmatched Commands", I selected Deny. I also checked "Permit Unmatched Args".
(2) Group Setup.
Created a new group. Call it NOC. For Enable Options, I selected "Max Privilege for any AAA Client" value of "Level 7".
For TACACS+ Settings, I checked "Shell (exec)" and set "Privilege level" to 7.
For Shell Command Authorization Set, I selected NOC for "Assign a Shell Command Authorization Set for any network device".
(3) User Setup.
Created a new user. Call it noc. Assign it to group NOC. All parameters point to group setting.
(4) The AAA commands on the routers/switches are as follows:
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.10.10.10 key 0 tacacskey
When the noc logs in, he's given privilege level 7. True, he's limited to only "show" commands. He can't do "config t". However, he also can't do "show run". Is it normal? I'd need him to be able to do "show run". How to configure the ACS?
Thank you.
B.Rgds,
Lim TS

Hi Narayan,
Appreciate your detailed configuration steps.
My intention is to create a shell command authorization set that allows a user group to only perform "show" commands, including complete config of "sh run". This group is not allowed to configure anything.
See my original post for my configuration steps. I tied the group to the above authorization set and assigned it Level 7.
The outcome is, the user can do all "show" commands except "sh run". Of course, he is not authorized for configuration commands.
I came across the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Perhaps it explains the problem here. If I understand it correctly, a user can't see in the output of "sh run" what he can't configure at his privilege level or below.
The same issue happens when I configured the following:
no aaa new-model
username noc privilege 7 password test
privilege exec level 7 show
line vty 0 4
login local
The user "noc" can't do "sh run".
Thank you.
B.Rgds,
Lim TS

ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration

Hi,
I need to activate a control privileges of users on various devices.
I found this interesting document:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
All users (read and full access) access on a not priviledge mode.
WHY?
I have a ACS v3.3 build 2
I have a 2960-24TC with IOS 12.2.25SEE3
I tried with a acs v4.1 without success.
Thanks.

If you want user to fall directly in enable mode,then you should have this command,
aaa authorization exec default group tacacs+ if-authenticated
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG

ACS Shell Command Authorizations Set

I have Cisco ACS Server V4.0
In the shell Command Authorization Set I configure a restrict Access.
In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
Why This?

I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

ACS 5.3 Shell Command Set

Hi all,
Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets no able to deny. Example like below:
i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.
the command i issue at below:
deny enable secret -> working
deny no enable secret -> no working
Anyone got idea to make the no working argument become working?

Hi there,
I just did a test in my ACS using your requirements and it worked fine, check below my configuration it may help you:
I am using the following AAA commands:
Switch(config)#do sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa session-id common
Switch(config)#
Rate if it helps!

Command Authorization in ACS 5.0

Hi,
Can anybody route me to configuration example for command authorization in routers or switches or firewall for ACS 5.0.
OR
USER-A should be placed in privilege level 2 and given access to all debug commands and the undebug all command.
Assigned specified commands to level 2
privilege exec level 2 undebug all
privilege exec all level 2 debug
The commands what i applied on routers are above.How i can set a privilege level of 2 on user in ACS 5.0.??????
Also if i want to do shell command authorization set,how can i do it in ACS 5.0
Thanks,

You need to create a shell profile to assign the desired privilege level, and a command set to authorize specific commands, then associate those two with the authorization policy that applies to those users.

IOS XR Command authorization with ACS server

We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
In ACS, we have two groups: Group 1 and Group 2
Group 1 allows full access in the shell command authorization set.
Group 2 allows limited access in the shell command set (basically just show commands).
Both groups can login fine (aaa authentication login default group <groupname> local)
Group 1 has full access to everything (group I am in).
Group 2 has NO access to anything (can't even perform show commands).
Group 2 CAN access other IOS devices and can perform the various show commands.
With regards to our authorization commands, we currently have it configured as:
aaa authorization commands default group <groupname> local
Why is it working for the one group, but not the other? I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with. I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
Thanks!
Kyle

dont have enough info to give you a full conclusive answer Kyle, but some suspicions.
Task group not set right?
Command groups not defined properly in tacacs for command author.
if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
More info here:
https://supportforums.cisco.com/docs/DOC-15944
xander

Shell command authorization

Hi all
I am having a problem with Shell Command Authorization. I have a user setup who I only want to be able to display the config, this is for automated config archival on an hourly basis.
I have configuered the device with the following aaa commands:
aaa new-model
aaa group server tacacs+ ACS
aaa authentication login default group ACS
aaa authentication login NOAUTH none
aaa authorization config-commands
aaa authorization exec default group tacacs+ group ACS
aaa authorization exec NOAUTH none
aaa authorization commands 15 default group ACS
aaa authorization commands 15 NOAUTH none
aaa accounting commands 15 default start-stop group ACS
The static account I have configured logs in ok and can show config etc. Access to conf t is disabled which is good but for some reason he can do any show command instead of just show run which is all I have allowed in the Shell command authorization.
Unmatched commands is set to deny and permit unmatched arguements is unchecked.
ACS is 3.3(2) and the switch I am testing is running 12.1(9)EA1
Any ideas?

Most "show" command are level 1 commands. You can verify this by logging in as a normal user, issue a "sho priv" to ensure you're at level 1, and then type "sho ip route", "sho ver", etc, you'll see that all of them work fine.
Your AAA commands only tell the switch to authorize level 15 commands, so when you do a "sho ver" or the like this command will not be sent off to the ACS server for authorization.
If you add the following:
aaa authorization commands 1 default group ACS
then that shoud fix it, but be careful because it's easy to lock yourself out of being able to get into enable mode (add "enable" into your command set too).
You should also have noticed that all those "show" commands weren't being accounted either, because you have also only enabled accounting for level 15 commands.

AAA Authorization with ACS Shell-Sets

Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...)

Shell Command(session) Authorization in ACS 4.2

Similar Messages

Maybe you are looking for