Security

Reply
Contributor I
Posts: 90
Registered: ‎08-03-2009

how do we restrict command authorizations to permit changes gigabitEthernet only in CPPM Tacacs

How do we restrict command authorizations to permit changes gigabitEthernet only while not allowing changes to tenGigabitEthernet


the idea is to restrict changes to 10gig ports which are usually trunk ports and critical.

 

I tried different combinations with different command argument restrictions but not getting through. 

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: how do we restrict command authorizations to permit changes gigabitEthernet only in CPPM Tacacs

If you are an Aruba partner, go to https://afp.arubanetworks.com/afp/index.php/ and login with your partner credentials.

 

Search for "tacacs command authorization".



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 90
Registered: ‎08-03-2009

Re: how do we restrict command authorizations to permit changes gigabitEthernet only in CPPM Tacacs

HI Colin,

 

Generic tacacs authorization setup with privilage level 15 access and restricted access with permitting few commands is already set up and it is working correctly. Sorry if i did not convey my question.

 

My requirement is very specific allowing changes on a gigethernet ports and not allowing changes on tengigethernet ports for a user.

 

 I am trying to do this with command arguments , but it either permits both or denys both. i feel it is not processing further once the first command argument matches.

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: how do we restrict command authorizations to permit changes gigabitEthernet only in CPPM Tacacs

wifiabcd,

 

What version of ClearPass are you using and What Cisco device?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 90
Registered: ‎08-03-2009

Re: how do we restrict command authorizations to permit changes gigabitEthernet only in CPPM Tacacs

Cisco Version

Cisco IOS Software, C3750E Software (C3750E-IPBASEK9-M), Version 15.0(2)SE2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 05-Feb-13 11:53 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750E-HBOOT-M) Version 12.2(44r)SE3, RELEASE SOFTWARE (fc3)

Clearpass Version

ClearPass Policy Manager 6.2.5.61640 on CP-VA-5K platform

Also attaching the tacas enforcemet profile export from my system , and with this i am getting the following result, I am able to do both , but if i `check the ummatched commands to "deny" then both will be denyed.

ArubaCPP-Test(config)#inter
ArubaCPP-Test(config)#interface gi
ArubaCPP-Test(config)#interface gigabitEthernet 1/0/20
ArubaCPP-Test(config-if)#exit
ArubaCPP-Test(config)#interface te
ArubaCPP-Test(config)#interface tenGigabitEthernet 1/0/1
ArubaCPP-Test(config-if)#exit
ArubaCPP-Test(config)#

Contributor I
Posts: 90
Registered: ‎08-03-2009

Re: how do we restrict command authorizations to permit changes gigabitEthernet only in CPPM Tacacs

Attachment was not possible hence pasting the xml

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Mon Mar 24 09:48:10 AST 2014" version="6.2"/>
<TacacsEnfProfiles>
<TacacsEnfProfile description="" name="Cisco Restricted" maxPrivLevel="15">
<ServiceNameList>
<string>Shell</string>
</ServiceNameList>
<ServiceAttrList>
<RulesCondition valueDispName="15" value="15" oper="EQUALS" name="priv-lvl" type="Shell"/>
<RulesCondition valueDispName="180" value="180" oper="EQUALS" name="timeout" type="Shell"/>
</ServiceAttrList>
<CmdAutzSet permitUnmatchedCmds="false" type="shell">
<CommandList>
<Command permitUnmatchedArgs="false" cmd="show">
<ArgumentList>
<Argument permit="true" cmdArg="running-config"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="false" cmd="exit">
<ArgumentList>
<Argument permit="true" cmdArg="exit"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="false" cmd="show">
<ArgumentList>
<Argument permit="true" cmdArg="running"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="false" cmd="show">
<ArgumentList>
<Argument permit="true" cmdArg="interfaces"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="true" cmd="configure"/>
<Command permitUnmatchedArgs="true" cmd="show"/>
<Command permitUnmatchedArgs="true" cmd="interface">
<ArgumentList>
<Argument permit="false" cmdArg="TenGigabitEthernet"/>
<Argument permit="true" cmdArg="GigabitEthernet"/>
</ArgumentList>
</Command>
<Command permitUnmatchedArgs="true" cmd="switchport"/>
<Command permitUnmatchedArgs="true" cmd="write"/>
<Command permitUnmatchedArgs="true" cmd="interface"/>
</CommandList>
</CmdAutzSet>
</TacacsEnfProfile>
</TacacsEnfProfiles>
</TipsContents>

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: how do we restrict command authorizations to permit changes gigabitEthernet only in CPPM Tacacs

Do you have this configured on the Cisco side?

 

aaa authorization commands 15 default group tacacs+ if-authenticated 
aaa authorization commands 15 defaut group tacacs+ local
aaa authorization config-commands

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: