Security

 View Only
Expand all | Collapse all

TACACS Command Authorization/Restriction

This thread has been viewed 39 times
  • 1.  TACACS Command Authorization/Restriction

    Posted Jan 20, 2016 03:25 PM

    I am using ClearPass to authorize commands on Cisco devices per AD group.  For the read-only group, I am putting the user into priv 15 and then permitting/denying the specific shell commands.  This way I do not have to configure separate privilege levels on each of the Cisco devices.  I would like users in the read-only group to be able to "clear counters" on interfaces but NOT allow them to "clear IP <anything>".  I have tried creating what I thought would work (pasted below) but it will not allow me to specify an interface after the "counters" argument.  Is there a wildcard entry that I can add that would solve my problem?

    Screen Shot 2016-01-20 at 2.23.12 PM.png

     



  • 2.  RE: TACACS Command Authorization/Restriction

    Posted Jan 21, 2016 11:09 AM

    Have you tried re-structuring the commands as below:

    Capture.JPG



  • 3.  RE: TACACS Command Authorization/Restriction

    Posted Jan 21, 2016 12:18 PM
    • I have copied what you had but it does seem to allow "clear ip <argument>"
    • I then removed the third entry; the "clear" with no arguments and a permit and then nothing is allowed through
    • from my experience, it seems that the "command" entry can only have the first word of the string, adding anything else seems to be ignored


  • 4.  RE: TACACS Command Authorization/Restriction

    Posted Jan 28, 2016 09:43 AM

    * bump *

    Would anyone have any ideas on this?  I cannot seem to allow "clear counters *" without allowing "clear *"



  • 5.  RE: TACACS Command Authorization/Restriction

    Posted Jan 28, 2016 09:53 AM

    The only other way I could see this working is as below:

    Capture.JPG

    Sorry I don't have a test lab to try this out on at the moment so these are just suggestions.



  • 6.  RE: TACACS Command Authorization/Restriction

    Posted Jan 28, 2016 11:52 AM

    Thank you for your reply.  I have entered in the syntax exactly as you have described and here are the results:

     

    - I am able to run "clear counters" but with no arguments after.  I cannot specify a particular interface

    - I am prevented from running "clear ip *" which is what I am looking for

     

    If there is a way to add a wild card somehow to the "clear counters" to allow our NOC to specify individual interfaces, that would complete my task.



  • 7.  RE: TACACS Command Authorization/Restriction

    Posted Feb 01, 2016 06:22 AM

    Try changing the unmatched arguments to permit instead of deny and see if that fixes the issue.



  • 8.  RE: TACACS Command Authorization/Restriction

    Posted Feb 02, 2016 09:04 AM

    Changing the unmatched arguments to permit now allows "clear *"  (clear <everything>)



  • 9.  RE: TACACS Command Authorization/Restriction

    Posted Feb 06, 2016 08:21 PM

    I am looking for the same, it would be great if a wildcard can be used.  I want to be able to allow users in a certain Enforcement Profile to be able to run "show running-config interface *" but prevent them from running a "show running-config".  Unmatched Arguments allows the latter which is no good



  • 10.  RE: TACACS Command Authorization/Restriction
    Best Answer

    Posted Mar 23, 2016 12:59 PM

    Wildcards are supported.. Basically have to use regexp style formatting in your arguments.

     

    Example: Wildcards and Ranges 

    You can use ".*" (period asterisk) in your argument field as a wildcard. For example if you want to limit configuration access to say uplink interfaces but not base port interfaces on a switch, you would use "interfaces 1/1/.*".

     

    You can use "[X-Y]" (open bracket, range, close bracket) in your argument field as well. For example if you want to limit configuration access to say a range of ports such as GigabitEthernet 1/0/21 and 1/0/22, you would use "GigabitEthernet 1/0/2[1-2]".



  • 11.  RE: TACACS Command Authorization/Restriction

    Posted Aug 21, 2018 05:47 PM

    While trying to setup a restricted command set for our NOC on a cisco 3850 I found that I couldnt match on GigabitEthernet 1/1/1. After some debuggin and a packet capture with the help of TAC it was discovered that CPPM wanted to see GigabitEthernet 1 1 1. No slashes.  Hope this helps someone. In the pic i have the wildcard setup for Gi1/1/1-4

     

    Cisco 3850  ios3.6.7

    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization network default local group radius
    aaa authorization auth-proxy default group radius

     

    CPPM 6.6.5.xxxx

    Directions from brodiman

    CPPM

    In your enforcement profile

    selected service = shell

    privilege level = 15

     

    In your commands tab

    service type = shell

    check enable to permit unmatched commands.

     

    click add

    command = show

    argument = version

    leave the rest default click save and test.

    cppm noc commands correct.JPG