Security

Reply
Occasional Contributor II

Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

what i currently have doesn't work.   You can see in the picture i tried to deny access to interface gigabitethernet 1/0/21 through 25.  I've tried ? and * and 1/0/[21-25].   I'm hoping to not have to enter every interface to allow or disallow access to including vlan interfaces.   

 

Pic to show where im at.

cppm.jpg 

MVP

Re: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

have you tried:

 

gigabitethernet 1/0/2[1-5]

 

This would be a standard pattern match.

David
ACDX #98 | ACMP | ACCP
Occasional Contributor II

Re: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

just tried it and it doesn't work.   adding just gigabitethernet 1/0/21 works.  as soon as wildcards are in place it fails.

 

nopecppm.jpg

New Contributor

Re: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

It would be nice to have Aruba provide a more detailed example/instructions on how to configure command authorization.
Occasional Contributor II

Re: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

Agreed.  I've had a TAC case open since yesterday and had my SE onsite and still haven't had this one question answered. 

 

¯\(°_o)/¯

Occasional Contributor II

Re: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

Ok with a little help from some Aruba friends i was able to get this working.  

 

Cisco switch side must have.

aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
keep in mind depending on the command you want to restrict you may need all commands 1 - 15 in your cisco config.

 

CPPM

In your enforcement profile

selected service = shell

privilege level = 15

 

In your commands tab

service type = shell

check enable to permit unmatched commands.

 

click add

command = show

argument = version

leave the rest default click save and test.

 

*edit*  forgot to mention the wildcards.

The wildcard is .*  (period star)

so GigabitEthernet 1/0/.* cover all ports on switch 1.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: