Security

Reply
Occasional Contributor II

TACACS Command Authorization/Restriction

I am using ClearPass to authorize commands on Cisco devices per AD group.  For the read-only group, I am putting the user into priv 15 and then permitting/denying the specific shell commands.  This way I do not have to configure separate privilege levels on each of the Cisco devices.  I would like users in the read-only group to be able to "clear counters" on interfaces but NOT allow them to "clear IP <anything>".  I have tried creating what I thought would work (pasted below) but it will not allow me to specify an interface after the "counters" argument.  Is there a wildcard entry that I can add that would solve my problem?

Screen Shot 2016-01-20 at 2.23.12 PM.png

 

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
MVP

Re: TACACS Command Authorization/Restriction

Have you tried re-structuring the commands as below:

Capture.JPG

David
ACDX #98 | ACMP | ACCP
Occasional Contributor II

Re: TACACS Command Authorization/Restriction

  • I have copied what you had but it does seem to allow "clear ip <argument>"
  • I then removed the third entry; the "clear" with no arguments and a permit and then nothing is allowed through
  • from my experience, it seems that the "command" entry can only have the first word of the string, adding anything else seems to be ignored
Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
Occasional Contributor II

Re: TACACS Command Authorization/Restriction

* bump *

Would anyone have any ideas on this?  I cannot seem to allow "clear counters *" without allowing "clear *"

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
MVP

Re: TACACS Command Authorization/Restriction

The only other way I could see this working is as below:

Capture.JPG

Sorry I don't have a test lab to try this out on at the moment so these are just suggestions.

David
ACDX #98 | ACMP | ACCP
Occasional Contributor II

Re: TACACS Command Authorization/Restriction

Thank you for your reply.  I have entered in the syntax exactly as you have described and here are the results:

 

- I am able to run "clear counters" but with no arguments after.  I cannot specify a particular interface

- I am prevented from running "clear ip *" which is what I am looking for

 

If there is a way to add a wild card somehow to the "clear counters" to allow our NOC to specify individual interfaces, that would complete my task.

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
MVP

Re: TACACS Command Authorization/Restriction

Try changing the unmatched arguments to permit instead of deny and see if that fixes the issue.

David
ACDX #98 | ACMP | ACCP
Occasional Contributor II

Re: TACACS Command Authorization/Restriction

Changing the unmatched arguments to permit now allows "clear *"  (clear <everything>)

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
New Contributor

Re: TACACS Command Authorization/Restriction

I am looking for the same, it would be great if a wildcard can be used.  I want to be able to allow users in a certain Enforcement Profile to be able to run "show running-config interface *" but prevent them from running a "show running-config".  Unmatched Arguments allows the latter which is no good

Aruba Employee

Re: TACACS Command Authorization/Restriction

Wildcards are supported.. Basically have to use regexp style formatting in your arguments.

 

Example: Wildcards and Ranges 

You can use ".*" (period asterisk) in your argument field as a wildcard. For example if you want to limit configuration access to say uplink interfaces but not base port interfaces on a switch, you would use "interfaces 1/1/.*".

 

You can use "[X-Y]" (open bracket, range, close bracket) in your argument field as well. For example if you want to limit configuration access to say a range of ports such as GigabitEthernet 1/0/21 and 1/0/22, you would use "GigabitEthernet 1/0/2[1-2]".

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: