Hi Lorenzo, I forgot to CC.
The reason this command fails in this case, is that you probably enabled command authorization for levels 0 and/or 1 in addition to level 15. You can either remove it (no authorization command 0/1 *name *in line config mode + no aaa authorization commmand 0/1 x) or add necessary commands to the ACS section. In the first case this user will have access to all level 0 and 1 commands + only the "clear line" from level 15. In the second case only the specified commands will work. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com <http://www.ipexpert.com/> On Mon, Feb 8, 2010 at 2:51 AM, Tating, Lorenzo C. Jr. < [email protected]> wrote: > Hi Piotr, > > Thank you for the alternative. I created a usergroup and assigned level-15 > to it. Here is the config on ACS: > > Unmatched commands: deny > Command list: clear > Permit unmatched args (unchecked): permit line > > The user can clear the line, but is now not able to do even a simple level > 1 command like "show ver". > > R3#show privilege > Command authorization failed. > > R3#clear line 0 > [confirm] > [OK] > R3# > R3#show ver > Command authorization failed. > > R3# > R3# > > PS: Do I need to include in the CC list the studylist email or keep this > unicast? > > Lorenzo C. Tating, Jr. > Technology Support Specialist > Service Support Group 1 > Technology Services Division > > FUJITSU PHILIPPINES INC. > > ------------------------------ > *From:* Piotr Kaluzny [mailto:[email protected]] > *Sent:* Friday, February 05, 2010 6:11 PM > *To:* Tating, Lorenzo C. Jr. > *Subject:* Re: [OSL | CCIE_Security] Shell Command Authorization > inconsistency in IOS > > Lorenzo, > > This is a 15-level command which means it will not be accessible on level > 14 unless you move it there with "privilege exec level" command, as you > described. What you configure under the ACS Authorization section applies > only to the privilege levels pointed for authorization on the routers, but > it does not change the level the command itself is accessible on. The > alternative to this is to create two 15-level users, one with access to all > commands and the other who could only access the "clear line command" (and > anything else you think fit). Then you would not have to move the command > with the "privilege" statement. > > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > > On Fri, Feb 5, 2010 at 10:23 AM, Tating, Lorenzo C. Jr. < > [email protected]> wrote: > >> I am trying to do Shell Command Authorization on my routers using >> Tacacs. >> >> I have one user that i place under privilege level 14. I want a level 15 >> command (clear line) to be used by that user. Using the "privilege exec >> level 14 clear line" works, but I need to implement it on ACS to save me >> time from having to enter the command over and over again to many routers. >> But I noticed that once my user logged under privilege level 14 (Tacacs >> Setting, Privilege Level = 14), the Command Authorization. I cannot bring >> the "clear line" command to that level. I tried using this on ASA and it >> works, it just seems the router wont allow bringing a level 15 command down >> to level 14, without manually configuring "privilege exec level 14 clear >> line" >> >> ACS config: >> Per Group Command Authorization >> Unmatched Cisco IOS commands >> (deny) >> >> [check] Command: >> clear >> >> Arguments: >> (none) >> >> Unlisted arguments: >> permit >> >> >> Any help will be appreciated. >> >> Sincerely, >> Lorenz >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
