Security

 View Only
  • 1.  Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

    Posted Mar 12, 2014 11:38 AM

    what i currently have doesn't work.   You can see in the picture i tried to deny access to interface gigabitethernet 1/0/21 through 25.  I've tried ? and * and 1/0/[21-25].   I'm hoping to not have to enter every interface to allow or disallow access to including vlan interfaces.   

     

    Pic to show where im at.

    cppm.jpg 



  • 2.  RE: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

    Posted Mar 12, 2014 12:00 PM

    have you tried:

     

    gigabitethernet 1/0/2[1-5]

     

    This would be a standard pattern match.



  • 3.  RE: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

    Posted Mar 12, 2014 12:38 PM

    just tried it and it doesn't work.   adding just gigabitethernet 1/0/21 works.  as soon as wildcards are in place it fails.

     

    nopecppm.jpg



  • 4.  RE: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

    Posted Mar 12, 2014 02:33 PM
    It would be nice to have Aruba provide a more detailed example/instructions on how to configure command authorization.


  • 5.  RE: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

    Posted Mar 12, 2014 02:53 PM

    Agreed.  I've had a TAC case open since yesterday and had my SE onsite and still haven't had this one question answered. 

     

    ¯\(°_o)/¯



  • 6.  RE: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

    Posted Apr 08, 2014 04:52 PM

    Ok with a little help from some Aruba friends i was able to get this working.  

     

    Cisco switch side must have.

    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    keep in mind depending on the command you want to restrict you may need all commands 1 - 15 in your cisco config.

     

    CPPM

    In your enforcement profile

    selected service = shell

    privilege level = 15

     

    In your commands tab

    service type = shell

    check enable to permit unmatched commands.

     

    click add

    command = show

    argument = version

    leave the rest default click save and test.

     

    *edit*  forgot to mention the wildcards.

    The wildcard is .*  (period star)

    so GigabitEthernet 1/0/.* cover all ports on switch 1.

     

     



  • 7.  RE: Anyone else know what wildcards are permitted in the commands argument section of CPPM/TACACS?

    Posted Aug 21, 2018 05:49 PM

    While trying to setup a restricted command set for our NOC on a cisco 3850 I found that I couldnt match on GigabitEthernet 1/1/1. After some debuggin and a packet capture with the help of TAC it was discovered that CPPM wanted to see GigabitEthernet 1 1 1. No slashes.  Hope this helps someone. In the pic i have the wildcard setup for Gi1/1/1-4

     

    Cisco 3850  ios3.6.7

    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization network default local group radius
    aaa authorization auth-proxy default group radius

     

    CPPM 6.6.5.xxxx

    Directions from brodiman

    CPPM

    In your enforcement profile

    selected service = shell

    privilege level = 15

     

    In your commands tab

    service type = shell

    check enable to permit unmatched commands.

     

    click add

    command = show

    argument = version

    leave the rest default click save and test.

     

    cppm noc commands correct.JPG