authorization AAA console

Hello

I want to configure authorization aaa with Ganymede + to connect to the console, but in the cisco documentation, I found the following line "" Note authorization is bypassed for authenticated users who log on by using the line of the console, even if authorization has been configured. "" "" » ??? There no way to configure the authorization to connect to the console on the right?

THX

Larry

Hi Larry,

Some additional info, maybe that's what you are experiencing.

Console port authorization has not been added as an element until the bug No. CSCdi82030 has been put in place. Console port authorization is disabled by default to reduce the likelihood of being accidentally locked on the router. If a user has physical access to the router through the console, console port authority is not very effective. However, for images which Bug ID CSCdi82030 has been implemented, console port may be lit under line con 0 with the permission of aaa hidden command console.

You can get specific information about a bug ID by using the Bug Toolkit, related tools and utilities.

Thank you

Christophe

Tags: Cisco Security

Similar Questions

AAA authorization command console

Hello

I don't really understand the need of the command ""console permission aaa "."

In fact we often set up these lines, which I already ar Editions by default VTY, Console, etc... :

AAA authorization exec default group Ganymede + authenticated if

AAA authorization commands 15 default group Ganymede + authenticated if

Am I wrong? Or these lines only apply to the VTY linse?

Thank you in advance

In the IOS default Cisco does not permit on the console. When you configure aaa authorization, it is applied to vty but not to the console. Basically, it's to make it harder for lock you to in the router or switch. If you want permission to apply on the console then you must explicitly configure (and be very very careful that it is configured correctly, or you can wind up being locked out of the router - think especially how it will work when you can't get to the external aaa server that normally makes the authorization).

HTH

Rick

Need help with the configuration of the AAA

I try to configure AAA on my network devices. I use GANYMEDE + with an ACS (3.2) server. I have groups of users of installation against two in the ACS, 1 voice server and allow privileges and the other without. I am able to get the AAA configuration to work when telnet in devices. However, when you connect in the port of the console, the user with privileges to activate Group do not go directly in the activation of the mode as do the users of telnetted. How to solve this problem?

Hello

You should not use the following command: -.

authorization AAA console

This command will not be displayed on the help.

Kind regards

Vivek

Question of console GANYMEDE

Hello

I just put GANYMEDE on some IOS devices, I'm only using a default group that is configured to provide level 15 privileges. As I use the same default group on the vty and console I would expect access by 2 methods are the same, but when I telnet in I get 15 directly to the guest level of #, but when I console in I always get prompt for the secret to activate it.

All ideas

Concerning

Chris Ayres

Chris

You can find a behavior that Cisco has done for a long time (and probably for good reason). The authentication/authorization GANYMEDE someone directly implement default privilege mode works on the vty and does not work on the console.

The reasoning is that if you make a mistake in the configuration of the authentication/authorization (very easy to do - especially if your understanding of what you are doing is a little weak), it would be easy to lock you out of the unit. By default it works on vty and does not work on console (prividing far to recover from problems). There is a hidden command that allows you to also have it working on the console (be very careful that your config works correctly before you activate it on the console).

If you want it, try this:

authorization AAA console

HTH

Rick

lockout on the router (aaa new-model)

So here I am again... Need help. I can now connect to my router which is authenticated through acs distance, my problem is when I run the command 'turn off' in the privilege level, because when I try to put on the privilege mode it asked me password I try all the passwords, but I rejected so I'm locked out see attachment so that you understand what I mean... Thanks in advance

and here is my router config:

!

version 12.4

!

encryption password service

!

hostname R1

!

AAA new-model

!

!

Group AAA authentication login fCONSOLE RADIUS

the AAA authentication enable default group RADIUS

authorization AAA console

AAA authorization config-commands

Group AAA authorization exec fCONSOLE RADIUS

!

AAA - the id of the joint session

!

!

username mark password privilege 15 7 110418171C

username 050A081B29434010 password 7 anthony

!

!

!

!

!

!

interface Loopback1

IP 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

IP 192.168.5.1 255.255.255.248

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 10.10.10.1 255.255.255.252

automatic duplex

automatic speed

!

Router eigrp 100

1.1.1.1 to network 0.0.0.0

Network 10.10.10.0 0.0.0.3

network 192.168.5.0 0.0.0.7

No Auto-resume

!

radius of the source interface FastEthernet0/1 IP

!

!

RADIUS-server host 172.16.178.3 auth-port 1645 acct-port 1646 borders 7 0519570C285F4D06

!

control plan

!

!

Line con 0

exec-timeout 0 0

authority fCONSOLE exec

Synchronous recording

fCONSOLE authentication login

line to 0

line vty 0 4

transport telnet entry

Oh... Great to hear that your problem resolved... Google is always of God the father!

By

Knockaert

No AAA authentication for switch

I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.

AAA new-model

AAA authentication login default group Ganymede + local
authorization AAA console
AAA authorization exec default group Ganymede + local

radius-server X.X.33.XX host
radius-server key 7?

I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?

Thank you

Robert

Robert,

Please make sure following

-Radius server is accessible from the switch and port 49 is not blocked.

S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)

-Check the secret key

If the problem is still there then please get

Debug aaa authentication

debugging Ganymede

Kind regards

~ JG

AAA authentication and privilege-mode

I want to configure authentication aaa with accounts of local user on the switch. The idea is to come directly into the "privilege" without the enable command mode.

I have configured the following commands:

AAA new-model

AAA authentication login default local

What other commands (permission) are necessary to obtain the command of privilege?

Thank you

Pascal

Dear Sir

For the console you must issue to order more.

There is a hidden within IOS command you will need to apply: "authorization aaa console.

Who should fix it

Kind regards

~ JG

Note the useful messages

Help of IOS SSH AAA!

Hi all

I have this config:

AAA authentication login default local line select

authorization AAA console

AAA authorization exec default local

AAA authorization network default local

line vty 0 4

password Gr834!

preferred transport ssh

entry ssh transport

output transport ssh

Then create the user name "admin" privilege 15. But I can not connect in SSH with this user name and password? I have already generated a public key on the router.

any ideas would be much appreciated.

Thank you

Alex

Try this:

username cisco password cisco

enable secret cisco

IP - nsp.org domain name

genrete key cryptographic rsa 1024

property intellectual ssh version 2

line vty 0 4

transport of entry all

output

Failed authorization

Nice day.

Have a problem with authorization Ganymede +.

config:

AAA server Ganymede group + Ganymede-GDP

10.0.255.18 private server key single-connection 123

IP vrf forwarding mgmt

Ganymede IP source interface FastEthernet0/2/0

!

AAA authentication login default local group Ganymede-GDP

enable AAA, enable authentication by default group Ganymede-GDP

authorization AAA console

AAA authorization config-commands

AAA authorization exec default local group Ganymede-GDP

AAA authorization commands 15 default local group Ganymede-GDP

AAA authorization network default local group Ganymede-GDP

AAA accounting exec default group power Ganymede-GDP

AAA accounting command 15 by default start-stop Ganymede-GDP group

Debug:

HIGHER (000002FC) / 0/READING: read all header 12-byte (wait 16 bytes)

HIGHER (000002FC) / 0/READING: read all the reply 28 bytes

HIGHER (000002FC) / 0/15D4A80C: treat the response packet

MORE: Received the authentic GET_PASSWORD response status (8)

HIGHER (000002FC) / 0/no: started 120 sec timeout

MORE: Queuing request 764 AAA authentication processing

MORE: treatment authentication continue id request 764

MORE: Authentication continue package generated for 764

HIGHER (000002FC) / 0/no: timer collapsed

HIGHER (000002FC) / 0/WRITING/15D4A80C: started 5 sec timeout

HIGHER (000002FC) / 0/WRITING: wrote together 24 bytes of the request

HIGHER (000002FC) / 0/READING: read all 12 byte header (allow 6 bytes)

HIGHER (000002FC) / 0/READING: read all the reply 18 bytes

HIGHER (000002FC) / 0/15D4A80C: treat the response packet

MORE: Received the status of response authentic PASS (2)

MORE: Queuing request for AAA 764 transformation

MORE: treatment authorization request id 764

MORE: Protocol is set to None. Jump

MORE: Sending service AV = shell

MORE: Sending AV cmd *.

MORE: Application created to 764 (ingener)

MORE: previously set server group Ganymede-GDP 10.0.255.18

HIGHER (000002FC) / 0/IDLE/15D4A80C: got immediately connect on the new 0

HIGHER (000002FC) / 0/WRITING/15D4A80C: started 5 sec timeout

HIGHER (000002FC) / 0/WRITING: wrote requests to 64 bytes

MORE: Error in package header reading, stop the single sign-on

HIGHER (000002FC) / 0/15D4A80C: treat the response packet

MORE: Received invalid customer information in entry

And another question-

Why all the usernames on top of case?

username ADMIN privilege 15 secret *.

You can try without single-connection:

AAA server Ganymede group + Ganymede-GDP

10.0.255.18 private server

~ BR
Jatin kone

* Does the rate of useful messages *.

AAA authentication problemssss

Hello

When I use commands below aaa and attempt to authenticate, I am able to authenticate with GANYMEDE +, but further then when I do "sh run" I get message "command failed authorization." Please notify.

Test-Switch #sh run

Authorization of command failed.

AAA new-model
AAA authentication login NETWORK_ACCESS group Ganymede + local activate
the AAA authentication enable default group Ganymede + activate

AAA authorization exec default group Ganymede + authenticated if
default 15 AAA authorization commands group Ganymede + none

AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.

the String key of the host IP radius-server

line vty 0 4
transport input telnet ssh
authentication of the connection NETWORK_ACCESS
exec-timeout 10

BUT as soon I just changed the aaa as configuration below I'm able to run sh run commands as usual without any error.

AAA new-model

AAA authentication login default group Ganymede + local

AAA authentication login no_tacacs local

activate the default AAA authentication no

AAA authentication login default group Ganymede + line

AAA authentication login no_tacacs line

authorization AAA console

AAA authorization exec default group Ganymede + local authenticated by FIS

AAA authorization exec default group Ganymede + authenticated if

AAA authorization exec local no_tacacs authenticated by FIS

AAA authorization commands 0 no_tacacs no

AAA authorization commands 1 no_tacacs no

AAA authorization commands 15 no_tacacs no

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

orders accounting AAA 0 arrhythmic default group Ganymede +.

AAA - the id of the joint session

Please advise, thank you. its urgent

To approach the issue from a slightly different angle - your original set of commands instruct the router to send the application for leave to GANYMEDE for each command to level 15, which includes see the race. Your GANYMEDE server was not configured to allow your use to see the race and if your attempt to show performance was rejected.

Your revised set of orders doesn't send application to GANYMEDE for level 15 commands (or other classes of orders by the way) and so there is no question here to see the race.

As far as I can say that your revised set of orders do not permit for orders. You can achieve this result just as easily (and with fewer complications in your configuration) If you delete just aaa authorization command from your config lines.

HTH

Rick

Go to AAA to local authentication on 100s of production network devices

Hello

I'm looking to migrate 100 s of local AAA authentication devices. I have the code I need to apply, but I can't think of a way how to automate this process.

If I connect to a switch using the local username, I can then add the config of AAA in the global mode

AAA TACACS_LOCAL authentication connection group local TACACS_SERVERS

authorization AAA console

AAA authorization config-commands

TACACS_LOCAL AAA authorization exec group local TACACS_SERVERS

AAA authorization commands 0 TACACS_LOCAL TACACS_SERVERS local group

AAA authorization commands 1 TACACS_LOCAL TACACS_SERVERS local group

Group orders 15 AAA authorization TACACS_SERVERS local TACACS_LOCAL

Start-stop accounting exec TAC TACACS_SERVERS AAA group

AAA commands 0 arrhythmic TAC accounting TACACS_SERVERS group

orders accounting AAA 1 group of start-stop TAC TACACS_SERVERS

AAA commands 15 arrhythmic TAC accounting TACACS_SERVERS group

However, once I added the config for the line, authorization and then comes into play (as I am logged in as a local user) and rejects any order entered, I then need to re-login using an account of AAA and apply this code;

line vty 0 4

authorization controls TACACS_LOCAL 0

authorization controls 1 TACACS_LOCAL

authorization controls TACACS_LOCAL 15

exec authorization TACACS_LOCAL

accounting orders 0 TAC

TAC controls 1 accountant

TAC of 15 accounting commands

accounting exec TAC

authentication of the connection TACACS_LOCAL

I wanted to know if someone came up with a way to apply the code in a single shot? I would ideally like to automate this process using Cisco works, however, I don't see apart from Add this code to the startup config and re-boot anyway...

Thank you very much

LON

LMS generally uses TFTP to deploy the configuration of devices. If the user should not be a problem.

Go to Configuration-> model-> Import Center

You can import a configuration of your devices by selcting one. When the configuration is retrieved, you can remove the parts of the configuration, you don't have to and paste the aaa authentication in the window.

then click Next,

Here you can preselect the devices you want to deploy. and then click Next.

If no configuration is displayed, click Next.

type the required information in the fields. Click on finish

I recommend to create a template for the removal of the configuration of the aaa, but be aware that when you type just no aaa new-model configuration is 100% removed, soon you type still aaa new-model you have the old configuration was merged with the new. You negotiate all your orders of aaa, followed an aaa new-model step. (This cost me about 2 hours to understand how to remove it).

Next step is to deploy the config on a test device.

Go to Configuration-> model Centre-> deploy

Select your template, and then click Next

Select your device-> click Next

If you do not configure any settings click then

You can add a few additional configurations if you want, click Next

Plan your deployment, and then click on finish

Search for problems during the deployment, if everything has worked you can connect the device with your credentials of Ganymede.

If there are problems with your model, export it and open it with an editor xml of your choice and change the model, import it, and try again.

I add an example of model

Good luck

Alex

The AAA authentication not working method and 'by default' list

Guys,

I hope someone can help me here to the problem of the AAA. I copied the configuration and debugging below. The router keeps using username/password local name even if the ACS servers are accessible and functional. To debug, it seems he keeps using the method list 'default' ignoring GANYMEDE config. Any help will be appreciated

Config

**********************************

AAA new-model

!

username admin privilege 15 secret 5 xxxxxxxxxx.

!

AAA authentication login default group Ganymede + local

the AAA authentication enable default group Ganymede + activate

authorization AAA console

AAA authorization exec default group Ganymede + local

AAA authorization commands 15 default group Ganymede + local

AAA authorization default reverse-access group Ganymede + local

orders accounting AAA 0 arrhythmic default group Ganymede +.

orders accounting AAA 15 by default start-stop Ganymede group.

Default connection accounting AAA power Ganymede group.

!

AAA - the id of the joint session

!

RADIUS-server host x.x.x.x

RADIUS-server host x.x.x.x

RADIUS-server host x.x.x.x

RADIUS-server host x.x.x.x

RADIUS-server application made

RADIUS-server key 7 0006140E54xxxxxxxxxx

!

Ganymede IP interface-source Vlan200

***************************

Debugs

002344: 5 Dec 01:36:03.087 ICT: AAA/BIND (00000022): link i / f

002345: Dec 5 01:36:03.087 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".

002346: Dec 5 01:36:11.080 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".

core01 #.

002347: Dec 5 01:36:59.404 ICT: AAA: analyze name = tty0 BID type =-1 ATS = - 1

002348: Dec 5 01:36:59.404 ICT: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0 x 6526934) user = "admin" ruser = "core01" ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = NONE priv = 15 initial_task_id = '0', vrf = (id = 0)

002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port = "tty0" list = "service = CMD

002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user = "admin".

002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send service AV = shell

002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd = AV set up

002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV terminal = cmd - arg

002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd - arg = AV

002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found the 'default' list

002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = Ganymede + (Ganymede +)

002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): user = admin

002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send service AV = shell

002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd = AV set up

002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send AV terminal = cmd - arg

002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd - arg = AV

Enter configuration commands, one per line. End with CNTL/Z.

core01 (config) #.

002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): permission post = ERROR

002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = LOCAL

002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): position of authorization = PASS_ADD

002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0 x 6526934) user = "admin" ruser = "core01" port = "tty0" rem_addr = "async" authen_type = ASCII service = NONE priv = 15

core01 (config) #.

Ganymede + accessible servers use source vlan 200. Also in the Ganymede server + can you check if the IP address for this device is configured correctly and also please check the pwd on the server and the game of this device.

As rick suggested sh Ganymede would be good as well. That would show the failures and the successes

HTH

Kishore

Based on the roles of the views of CLI with AAA method

Hello

I'm configuration based on the roles of views CLI on a router to limit access to users.

My criteria:

-There should be a local user account on the router that has the view of 'service' in the annex

-If the router is online and can reach the radius server, people in the right group are assigned to the view 'service '.

My configuration:

AAA new-model

Select the secret 1234

username view service secret service 1234

!

AAA my_radius radius server group
private-server 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 0 1234 key
private-server 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 relay 1 0 1234 key

!

authorization AAA console
AAA authentication login my_radius local group mgmt
AAA authorization exec mgmt my_radius local group

!
Line con 0
authorization exec mgmt
Synchronous recording
login authentication mgmt
line vty 0 4
authorization exec mgmt
Synchronous recording
login authentication mgmt
entry ssh transport

THE ERROR

Now, I want to go set up the cli view "service"...

# mode

Password: 1234

* 08:00:02.991 Jun 1: AAA/AUTHENTIC/SEE (0000000 D): method of picking list "mgmt".
* Jun 1 08:00:02.991: RADIUS / ENCODE (0000000D): ask "" password: ".
* Jun 1 08:00:02.991: RADIUS / ENCODE (0000000D): upload the package. GET_PASSWORD
* 08:00:21.011 Jun 1: RADIUS: receipt id 1645/13 10.1.1.1:1645, Access-Reject, len 20

Questions

Why the view "enable" trying to choose a list of method when you need to provide secrecy to enable it to access the root view?

You can change this behavior to always use the key to activate it?

The TEMPORARY Solution

If you are connected to the router via telnet or SSH, the solution or workaround for this problem is:

local VIEW_CONFG AAA authentication login

!

line vty 0 4

authentication of the connection VIEW_CONFG

Make your view configuration and reconfigure the line to use the correct (desired) authentication method.

________________________________

Thanks a lot for the suggestions

/ ENTOMOLOGIST

Hello

You have configured the following:

AAA authentication login my_radius local group mgmt
AAA authorization exec mgmt my_radius local group

Line con 0
authorization exec mgmt
Synchronous recording
login authentication mgmt
line vty 0 4
authorization exec mgmt
Synchronous recording
login authentication mgmt

entry ssh transport

So every time you try to connect to the console or ssh authentication will travel to the server radius because of the following command 'connection authentication mgmt '.

You can get there. What is set on the method list mgmt first will take precedence.

activate seceret is defined locally. but you have configured the following:

AAA authorization exec mgmt my_radius local group

Line con 0
authorization exec mgmt

line vty 0 4
authorization exec mgmt

So exec mode is also via the radius server.

When you set up:

local VIEW_CONFG AAA authentication login

!

line vty 0 4

authentication of the connection VIEW_CONFG

You do local authentication, so it works the way you want.

In short, regardless of authentication is set 1 on the list method will take priority. the relief will be checked only if the 1st aaa server is not accessible.

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

Changing servers GANYMEDE

We have added a new server running 5.2 and from 3.3 RADIUS.

I lose router access when you remove the old server IP info and orders AAA? The router is out of State and do not want to lose the access while making these changes.

Example of config:

Ganymede old router config:

AAA new-model

AAA authentication login default group Ganymede + local

AAA authentication login console_line local

authorization AAA console

AAA authorization config-commands

AAA authorization exec default group Ganymede + authenticated if

AAA authorization commands 0 default group Ganymede + local

AAA authorization commands 1 default group Ganymede + local

AAA authorization commands 15 default group Ganymede + local

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

!

AAA - the id of the joint session

Ganymede IP source-interface Loopback0

radius-server host 10.1.1.31

radius-server host 10.2.1.9

RADIUS-server application made

RADIUS-server key 7 0835185A5C1053051D080717

New configuration of router Ganymede (currently)

AAA new-model

!

!

AAA server Ganymede group + TTI_ACS_GROUP

Server 10.1.1.253

Server 10.1.1.252

Ganymede IP source-interface GigabitEthernet0/0

!

Group AAA authentication login TTI_ACS_GROUP default

the AAA authentication enable default group TTI_ACS_GROUP

Group default AAA authorization exec if authenticated TTI_ACS_GROUP

!

Ganymede IP source-interface Loopback0

radius-server host 10.1.1.253

radius-server host 10.1.1.252

RADIUS-server application made

RADIUS-server t4t5i6rocks key

Thank you!

-Nick C.

We have improved some time ago to ACS 4.2 to 5.3, I kept the router config to pretty much the same, and had a key to the Ganymede even server for all, so just added new hosts of Ganymede in the existing configuration server and then off the old server, everything was good.

don't forget if you are worried about losing the connection and then the "reload in 005" is always good to do before making any changes so if you do a config that is not loved and you lose the connection that the router will reload and as not saved config arrived with working config. "."

GANYMEDE +: how to limit the output of "show?" for a user?

Hello

On my server GANYMEDE +, I would like to configure a user so that when they do a "show?" command, it will list only the commands that they are allowed to do, instead of the entire list. I searched everywhere and couldn't find any info on this. Anyone know if this is possible? If so, how do you go?

Thank you

neocec

privilege set up route ip level 5
privilege exec level 5 set up

AAA new-model
!
!
AAA authentication login t-authentic group Ganymede + local
AAA authentication login no.-authentic no
authorization AAA console
AAA authorization exec t-author group Ganymede +.
AAA authorization exec no author no
AAA authorization commands 5 t-author group Ganymede +.
AAA authorization commands 15 t-author group Ganymede +.

ACS config:

shell command authorization set

Give the name

Add the show on the left column and add the show commands that you want to allow on the right column

Go to the advanced user Ganymede priv MAx for any customer settings the value 5

Under settings Ganymede, check the Shell (exec)

privilege level 5

Affect the shell command authorization set

authorization AAA console

Similar Questions

My criteria:

My configuration:

THE ERROR

Questions

The TEMPORARY Solution

Maybe you are looking for