Hey guys,
As the title suggest, I'm having some issues getting user groups to work properly. I have seen a lot of discussion suggesting that you run a few AAA commands, assign a user to a group and then you're on your way but I have run into nothing but issues with this.
Here are my switch models:
J9850A |
JL662A |
JL258A |
JL073A |
JL320A |
|
And here are the commands I have ran:
aaa authorization commands local
aaa authorization group "TEST-GROUP" 1 match-command "show *" permit
aaa authorization group "TEST-GROUP" 2 match-command "en*" deny
aaa authorization user-role enable <------------------- wasn't sure about this just tried it
aaa authentication login privilege-mode
aaa authentication web login radius local
aaa authentication web enable radius local
aaa authentication local-user "test-usr" group "TEST-GROUP"
I'm only trying to test right now so I can get it down but what I'm trying to accomplish is I want to be able to set up a user who has access to do very limited things, can see the show commands, can enable a port or disable a port.
I understand that I have enable set to deny but this doesn't do anything for me, I'm still able to elevate priv using the admin account, my thought is that "test-usr" would be stopped from using anything with "en" but that doesn't seem to be the case.
I can't see all show commands from the initial, unelevated prompt. I even tried to deny all show commands and still acting like everything is in a default config.
I don't want to use Manager/Operator because it's not granular enough for what we want to accomplish.
Oh and the user is in the group and the match-commands are showing up in the group as expected.