Security

Reply
Occasional Contributor II

creating a TACACS read-only user and not able to permit the "show run" command

We use CPPM with Cisco switches. I'm trying to create a local user with TACACS that has the ability to do the "show run" command on the switch. For some reason I can't seem to get any "show" commands to work. Any other command I've specified, works. I've even assigned the user a privilege level of 15 with no dice. 

Guru Elite

Re: creating a TACACS read-only user and not able to permit the "show run" command

Did you try using privilege level 1?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: creating a TACACS read-only user and not able to permit the "show run" command

I've tried, 1,2,3,6,7,8,9,14, and 15. 

Occasional Contributor II

Re: creating a TACACS read-only user and not able to permit the "show run" command

This is the only way I've been able to get it to work, give the user privilege level 15, and permit the "show" command. Only problem is that I don't want to permit every show command. Apparently I can't lock this down enough. 

Guru Elite

Re: creating a TACACS read-only user and not able to permit the "show run" command

If you want to limit individual commands, you'll have to do command authorization.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: creating a TACACS read-only user and not able to permit the "show run" command

Isn't that what I'm doing in the commands tab of the Enforcement Profile? Setting which commands are allowed or denied? 

Contributor I

Re: creating a TACACS read-only user and not able to permit the "show run" command

This is what I do. I allow 'show run interface blah' but not 'sh run', etc.

 

I deny by default and then specify what I want to allow but you can allow by default and list what you want to restrict.

Occasional Contributor II

Re: creating a TACACS read-only user and not able to permit the "show run" command

Thanks. That's pretty much what I've come to the conclusion of doing. I used yours as a template to clean up how I had mine though. Thanks. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: