Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2928
Views
5
Helpful
4
Replies

ACS Privilege Level and Command Sets

Go to solution
chrismenuey
Level 1
Level 1

‎02-05-2016 07:15 PM - edited ‎03-10-2019 11:27 PM

Hi all,

I've been tasked with setting up ACS 5.6 to be able to authorize MS domain security groups members to have specific command access to our equipment. I've got the domain association and groups added, I have an Access Policy with a rule that is working so my domain test account can login to the switch and perform only the commands in my Command Set.

The issue is that when I assign a Shell Profile with privilege level 7 min/max to the rule, and the user logs in with this level, they are unable to see the commands that I've allowed in the Command Set. Is there a way to have ACS tell the IOS to automatically modify the commands visible to a specific privilege level when the user logs in, even though they aren't in that privilege level?

Any help greatly appreciated,

Chris Menuey

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-09-2016 07:34 AM

Since you're using command authorization and restricting user to certain commands, why are we using privilege 7 and not 15?

~Jatin

~Jatin

View solution in original post

4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-09-2016 07:34 AM

Since you're using command authorization and restricting user to certain commands, why are we using privilege 7 and not 15?

~Jatin

~Jatin

Go to solution
chrismenuey
Level 1
Level 1
In response to Jatin Katyal

‎02-10-2016 08:22 PM

It was an attempt to limit the commands visible to the junior technicians to keep them from being inundated with commands that won't have prevalence to what they need to do, assign access vlan numbers to ports, use show commands, etc. We were under the assumption that ACS would be able to do this automatically with priv 7 based on the commands we put in the command set, since it doesn't appear possible I'll just be using priv 15 and doing additional training to let them know that even though they can see it, doesn't mean they can use it :D

Thanks for the confirmation of this Jatin, help is always appreciated :)

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to chrismenuey

‎02-10-2016 10:19 PM

yw ! Here is a link to configure command authorization on ACS

~ Jatin

~Jatin
0 Helpful

Go to solution
Chris McCann
Level 1
Level 1
In response to Jatin Katyal

‎05-18-2016 08:27 AM

Hi,

I have a simular problem but using user authencation on the TACAS, cannt find were to associate the user with a specific profile.

0 Helpful
Customers Also Viewed These Support Documents