topic Hi Mark, in Network Access Control

tacacs+ server command configuration

sfarazaz123 — Mon, 11 Mar 2019 06:42:02 GMT

Hi guys,

i am want to configure the tacacs+ server and want to add a rule that if user dont use the "add" command in defining the new vlan on the trunk it should get denied.

for example

switchport trunk allowed vlan add xx

He should not be able to use the simple command without add.

How can i write this rule and how i can implement this rule on the users for all network devices.

i need some simple examples to understand this.

Thanks in advance

Faraz

hello!

George Stefanick — Fri, 22 Apr 2016 19:53:56 GMT

hello!

You might want to post this on the switch / security forums.

Hi

Mark Malone — Mon, 25 Apr 2016 12:40:18 GMT

If you have a trunk with vlans specified you need to use add syntax if you don't it will wipe the other vlans from the trunk and only use the last one you specified so you will break the trunk link as they wont6 match any longer on each side

Not sure what that has to do with tacacs though as tacacs is for access ?

Hi Mark,

sfarazaz123 — Mon, 25 Apr 2016 13:07:09 GMT

Hi Mark,

Thanks for the reply. My question is regarding AAA authorization.

As you mention if we dont use the "add" parameter, than it will wipe out all other vlan configuration on the trunk.

I want to avoid that mistake by putting the tacacs+ authorization rule. As it happen before that we have for example 10 vlans on a trunk and we want add another one. By mistake we didnt use the "add" command and it wipe out all other vlan information on the trunk.

So the rule should be like this

if "add" is not use in the switchport trunk allowed vlan command -> deny to add the vlan.

I hope now i explain what you can understand 🙂

Best Regards

Faraz

I have never seen that done

Mark Malone — Mon, 25 Apr 2016 14:19:23 GMT

I have never seen that done through authorisation after being logged in , AAA is not capable of making sure a user doesn't make a mistake like that its just for access security

If you were trying to do it from prime 3.0 or above through compliance it could probably be done as you can build rule bases against access and configuration to do it but not under cli in router/switch

AAA is for access , you can put the user in a low end privilege group so he cant make changes like that again preventing this from happening but it does not have the feature of preventing mistakes as far as im aware

Hi Marks

sfarazaz123 — Mon, 25 Apr 2016 19:41:03 GMT

Hi Marks

Thanks alot of the clearing the confusion.