Security

How do we restrict command authorizations to permit changes gigabitEthernet only while not allowing changes to tenGigabitEthernet

the idea is to restrict changes to 10gig ports which are usually trunk ports and critical.

I tried different combinations with different command argument restrictions but not getting through. 

If you are an Aruba partner, go to https://afp.arubanetworks.com/afp/index.php/ and login with your partner credentials.

Search for "tacacs command authorization".

HI Colin,

Generic tacacs authorization setup with privilage level 15 access and restricted access with permitting few commands is already set up and it is working correctly. Sorry if i did not convey my question.

My requirement is very specific allowing changes on a gigethernet ports and not allowing changes on tengigethernet ports for a user.

 I am trying to do this with command arguments , but it either permits both or denys both. i feel it is not processing further once the first command argument matches.

wifiabcd,

What version of ClearPass are you using and What Cisco device?

Cisco Version

Cisco IOS Software, C3750E Software (C3750E-IPBASEK9-M), Version 15.0(2)SE2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 05-Feb-13 11:53 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750E-HBOOT-M) Version 12.2(44r)SE3, RELEASE SOFTWARE (fc3)

Clearpass Version

ClearPass Policy Manager 6.2.5.61640 on CP-VA-5K platform

Also attaching the tacas enforcemet profile export from my system , and with this i am getting the following result, I am able to do both , but if i `check the ummatched commands to "deny" then both will be denyed.

ArubaCPP-Test(config)#inter
ArubaCPP-Test(config)#interface gi
ArubaCPP-Test(config)#interface gigabitEthernet 1/0/20
ArubaCPP-Test(config-if)#exit
ArubaCPP-Test(config)#interface te
ArubaCPP-Test(config)#interface tenGigabitEthernet 1/0/1
ArubaCPP-Test(config-if)#exit
ArubaCPP-Test(config)#

Attachment was not possible hence pasting the xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Mon Mar 24 09:48:10 AST 2014" version="6.2"/>
<TacacsEnfProfiles>
<TacacsEnfProfile description="" name="Cisco Restricted" maxPrivLevel="15">
<ServiceNameList>
<string>Shell</string>
</ServiceNameList>
<ServiceAttrList>
<RulesCondition valueDispName="15" value="15" oper="EQUALS" name="priv-lvl" type="Shell"/>
<RulesCondition valueDispName="180" value="180" oper="EQUALS" name="timeout" type="Shell"/>
</ServiceAttrList>
<CmdAutzSet permitUnmatchedCmds="false" type="shell">
<CommandList>
<Command permitUnmatchedArgs="false" cmd="show">
<ArgumentList>
<Argument permit="true" cmdArg="running-config"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="false" cmd="exit">
<ArgumentList>
<Argument permit="true" cmdArg="exit"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="false" cmd="show">
<ArgumentList>
<Argument permit="true" cmdArg="running"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="false" cmd="show">
<ArgumentList>
<Argument permit="true" cmdArg="interfaces"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="true" cmd="configure"/>
<Command permitUnmatchedArgs="true" cmd="show"/>
<Command permitUnmatchedArgs="true" cmd="interface">
<ArgumentList>
<Argument permit="false" cmdArg="TenGigabitEthernet"/>
<Argument permit="true" cmdArg="GigabitEthernet"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="true" cmd="switchport"/>
<Command permitUnmatchedArgs="true" cmd="write"/>
<Command permitUnmatchedArgs="true" cmd="interface"/>
</CommandList>
</CmdAutzSet>
</TacacsEnfProfile>
</TacacsEnfProfiles>
</TipsContents>

Do you have this configured on the Cisco side?

aaa authorization commands 15 default group tacacs+ if-authenticated 
aaa authorization commands 15 defaut group tacacs+ local
aaa authorization config-commands