Deny commands in cisco (config) mode

[Alexandru1982]

Hi, Is it possible to deny commands after entering conf mode on cisco? Does do_auth.ini allow this? So far i can use "command_deny" only for "conf term" and not for commands available in config mode.

Ex : How do i deny, let's say, #conf t, #(config) interface.* ?

[jathanism]

Hey, there and sorry about the ridiculously long reply. If this is even still relevant to you:

• Yes, by setting priv-lvl=15 this forces auto-enable/superuser on Cisco IOS* devices.
• For command_deny patterns, you need them to be regular expressions that match the command "root" and any arguments e.g. "interface .*".

Do you want to actually disallow entering config mode? If so you could use a lower privilege level like 1.

See: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html