topic How to restrict "Reload" command on some devices in Network Access Control

How to restrict "Reload" command on some devices

JCRE — Mon, 11 Mar 2019 06:54:06 GMT

Hello, sorry for my English.

We need to restrict the execution of the "Reload" command on certain switches and routers considered Core or concentrators.

I could implement the restriction of the use of command using EEM but I left out a switch 6500, Core of Data Center, because the version of the operating system does not support EEM.

We have configured AAA and do authentication against a TACACS server where users listed there (nonlocal) to access the devices.

In fact, we grant permissions to execute certain commands only via the file "tac_plus.conf" that resides on the TACACS server.

What I could not do is restrict the execution of "Reload" using the same method, only I got doing with EEM on routers and switches critical.

I would like to know if it is possible to restrict the "reload" command on certain devices, configuring the instructions in the "tac_plus.conf" file.

Thank you very much.

Hi

Francesco Molino — Thu, 30 Jun 2016 20:56:21 GMT

I've never used in production other tacacs server except Cisco ACS.

However, on your tac_plus.conf, you can create some profiles and deny or permit some commands. Within this profiles, you can do a deny "reload". Have you tried it?

It should looks like:

group = Usercommand {
default service = permit
cmd = no {
deny reload*
....."

On the switch, I assume you have configured the aaa authorization command?

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hi supportlan,

JCRE — Fri, 01 Jul 2016 13:21:30 GMT

Hi supportlan,

We use the tac_plus.conf file, through which we allow certain commands, this is part of what we have configured:

monitoring group = {
        #Mesa Monitoring - Use Skey and have allowed commands
        login = skey
        service = exec {
        }
        cmd = set {
        permit terminal
        }
        cmd = interface {
        permit. *
        }
        cmd = ip {
        permit accounting
        }

If I apply the denial of "reload" command as what you suggest, this would apply to all devices on the network, but we just want to do about the devices considered Core.
Am I right?

Yes, I confirm that we have set "aaa authorization command".

This is what we have configured on the switch:

aaa new-model
aaa authentication login default group tacacs Local +
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs Local +
aaa authorization commands 1 default group tacacs + if-authenticated Local
aaa authorization commands 15 default group tacacs + if-authenticated Local

Thanks for your help.

On ACS it would be possible

Francesco Molino — Fri, 01 Jul 2016 13:50:45 GMT

On ACS it would be possible but don't know on your server. Are you able to define rules on specific nas-ip?

I'm not very familiar with 3rd party tacacs server. As I know you can define rules per user but what about nas-ip (client device)?

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hello, I very much appreciate

JCRE — Fri, 01 Jul 2016 14:28:41 GMT

Hello, I very much appreciate your answer, I believe to be right when I say that if I use "deny" for a command, this applies across the network, therefore I is not helpful to our case.

Anyway, thank you very much for your time and help.

Across the network, well it

Francesco Molino — Fri, 01 Jul 2016 14:36:26 GMT

Across the network, well it depend if you can do rule set bases on nas-ip.

you're very welcome