Hi all,
I already setup a Cisco Secure ACS 3.3 in a Windows 2000 server. Right now it’s authenticated the user and group to gain access into routers and switches. However, I have problem to make authorization work with shell commands. These is what I have
In switch:
aaa authorization exec authz group tacacs+ local
…
line vty 0 4
authorization exec authz
login authentication aaa
In Cisco Secure ACS 3.3:
User setup -> test user ->
Advanced TACACS+ Settings: “CHECK MARK” in following:
Max Privilege for any AAA Client = level 15,
Use Cisco Secure PAP Password
TACACS+ Settings: “CHECK MARK” in followings:
Shell (exec)
Assign a Shell Command … = test command.
Share profile components -> Shell Command Authorization sets -> test command ->
Unmatched Commands = Permit (I tried use Deny but still does not work)
Left textbox = write. Right textbox = permit erase
Permit Unmatched Args = “UNCHECK”
In general, I tried to deny this test user to run write erase in the switch. But either I put Permit or Deny in Unmatched commands, this user still able to run write erase after get into enable mode. Any suggestions or opinions are appreciated, thanks in advanced.
SL
I already setup a Cisco Secure ACS 3.3 in a Windows 2000 server. Right now it’s authenticated the user and group to gain access into routers and switches. However, I have problem to make authorization work with shell commands. These is what I have
In switch:
aaa authorization exec authz group tacacs+ local
…
line vty 0 4
authorization exec authz
login authentication aaa
In Cisco Secure ACS 3.3:
User setup -> test user ->
Advanced TACACS+ Settings: “CHECK MARK” in following:
Max Privilege for any AAA Client = level 15,
Use Cisco Secure PAP Password
TACACS+ Settings: “CHECK MARK” in followings:
Shell (exec)
Assign a Shell Command … = test command.
Share profile components -> Shell Command Authorization sets -> test command ->
Unmatched Commands = Permit (I tried use Deny but still does not work)
Left textbox = write. Right textbox = permit erase
Permit Unmatched Args = “UNCHECK”
In general, I tried to deny this test user to run write erase in the switch. But either I put Permit or Deny in Unmatched commands, this user still able to run write erase after get into enable mode. Any suggestions or opinions are appreciated, thanks in advanced.
SL
