Security

I am using ClearPass to authorize commands on Cisco devices per AD group.  For the read-only group, I am putting the user into priv 15 and then permitting/denying the specific shell commands.  This way I do not have to configure separate privilege levels on each of the Cisco devices.  I would like users in the read-only group to be able to "clear counters" on interfaces but NOT allow them to "clear IP <anything>".  I have tried creating what I thought would work (pasted below) but it will not allow me to specify an interface after the "counters" argument.  Is there a wildcard entry that I can add that would solve my problem?

Have you tried re-structuring the commands as below:

• I have copied what you had but it does seem to allow "clear ip <argument>"
• I then removed the third entry; the "clear" with no arguments and a permit and then nothing is allowed through
• from my experience, it seems that the "command" entry can only have the first word of the string, adding anything else seems to be ignored

* bump *

Would anyone have any ideas on this?  I cannot seem to allow "clear counters *" without allowing "clear *"

The only other way I could see this working is as below:

Sorry I don't have a test lab to try this out on at the moment so these are just suggestions.

Thank you for your reply.  I have entered in the syntax exactly as you have described and here are the results:

- I am able to run "clear counters" but with no arguments after.  I cannot specify a particular interface

- I am prevented from running "clear ip *" which is what I am looking for

If there is a way to add a wild card somehow to the "clear counters" to allow our NOC to specify individual interfaces, that would complete my task.

Try changing the unmatched arguments to permit instead of deny and see if that fixes the issue.

Changing the unmatched arguments to permit now allows "clear *"  (clear <everything>)

I am looking for the same, it would be great if a wildcard can be used.  I want to be able to allow users in a certain Enforcement Profile to be able to run "show running-config interface *" but prevent them from running a "show running-config".  Unmatched Arguments allows the latter which is no good

Wildcards are supported.. Basically have to use regexp style formatting in your arguments.

Example: Wildcards and Ranges 

While trying to setup a restricted command set for our NOC on a cisco 3850 I found that I couldnt match on GigabitEthernet 1/1/1. After some debuggin and a packet capture with the help of TAC it was discovered that CPPM wanted to see GigabitEthernet 1 1 1. No slashes.  Hope this helps someone. In the pic i have the wildcard setup for Gi1/1/1-4

Cisco 3850  ios3.6.7

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius

CPPM 6.6.5.xxxx

Directions from brodiman

CPPM

In your enforcement profile

selected service = shell

privilege level = 15

In your commands tab

service type = shell

check enable to permit unmatched commands.

click add

command = show

argument = version

leave the rest default click save and test.