I am using ClearPass to authorize commands on Cisco devices per AD group. For the read-only group, I am putting the user into priv 15 and then permitting/denying the specific shell commands. This way I do not have to configure separate privilege levels on each of the Cisco devices. I would like users in the read-only group to be able to "clear counters" on interfaces but NOT allow them to "clear IP <anything>". I have tried creating what I thought would work (pasted below) but it will not allow me to specify an interface after the "counters" argument. Is there a wildcard entry that I can add that would solve my problem?
Have you tried re-structuring the commands as below:
* bump *
Would anyone have any ideas on this? I cannot seem to allow "clear counters *" without allowing "clear *"
The only other way I could see this working is as below:
Sorry I don't have a test lab to try this out on at the moment so these are just suggestions.
Thank you for your reply. I have entered in the syntax exactly as you have described and here are the results:
- I am able to run "clear counters" but with no arguments after. I cannot specify a particular interface
- I am prevented from running "clear ip *" which is what I am looking for
If there is a way to add a wild card somehow to the "clear counters" to allow our NOC to specify individual interfaces, that would complete my task.
Try changing the unmatched arguments to permit instead of deny and see if that fixes the issue.
Changing the unmatched arguments to permit now allows "clear *" (clear <everything>)
I am looking for the same, it would be great if a wildcard can be used. I want to be able to allow users in a certain Enforcement Profile to be able to run "show running-config interface *" but prevent them from running a "show running-config". Unmatched Arguments allows the latter which is no good
Wildcards are supported.. Basically have to use regexp style formatting in your arguments.
Example: Wildcards and Ranges
You can use ".*" (period asterisk) in your argument field as a wildcard. For example if you want to limit configuration access to say uplink interfaces but not base port interfaces on a switch, you would use "interfaces 1/1/.*".
You can use "[X-Y]" (open bracket, range, close bracket) in your argument field as well. For example if you want to limit configuration access to say a range of ports such as GigabitEthernet 1/0/21 and 1/0/22, you would use "GigabitEthernet 1/0/2[1-2]".
While trying to setup a restricted command set for our NOC on a cisco 3850 I found that I couldnt match on GigabitEthernet 1/1/1. After some debuggin and a packet capture with the help of TAC it was discovered that CPPM wanted to see GigabitEthernet 1 1 1. No slashes. Hope this helps someone. In the pic i have the wildcard setup for Gi1/1/1-4
Cisco 3850 ios3.6.7
aaa authorization config-commandsaaa authorization exec default group tacacs+ localaaa authorization commands 1 default group tacacs+ if-authenticatedaaa authorization commands 15 default group tacacs+ if-authenticatedaaa authorization network default local group radiusaaa authorization auth-proxy default group radius
Directions from brodiman
In your enforcement profile
selected service = shell
privilege level = 15
In your commands tab
service type = shell
check enable to permit unmatched commands.
command = show
argument = version
leave the rest default click save and test.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.