topic Re: ACS 3.2 Command Authorization Wildcards?? in Network Access Control

ACS 3.2 Command Authorization Wildcards??

aaronw — Sun, 10 Mar 2019 14:43:54 GMT

Does anyone know if it is possible to use wildcards with a Shell Command Authorization Set?

I am setting up the following types of users:

Cisco Admins (Unrestricted)

Cisco Operators (restricted, but capable of a lot).

What we want to allow the operators to have enough access to fix a problem, (with us walking them through on the phone), but not allow them the following:

Show run, show start... So they cannot get the passwords.

copy ANYTHING into startup-config. We do not want them to be able to write any configs.

There are so many options to copy from: ftp, tftp, run, flash, etc... I wanted to use a wildcard for

copy; deny * startup-config

copy; deny running-config *

copy; deny startup-config *

this will prevent them from overwriting the startup-config, and will prevent them from copying the configs anywhere, where they can get the encrypted passwords & run a utility to crack the passwords.

As of now, I am putting in all possible options into the authorization set, but I would LOVE to use a wildcard.

Any thoughts?

Re: ACS 3.2 Command Authorization Wildcards??

didyap — Tue, 06 Apr 2004 15:46:37 GMT

As of now, wildcards can be used with IP addresses only I guess.

Re: ACS 3.2 Command Authorization Wildcards??

aaronw — Tue, 06 Apr 2004 16:33:34 GMT

I ended up with the following:

Copy

deny running-config

deny startup-config

deny tftp startup-config

deny /erase

deny flash startup-config

deny ftp startup-config

deny null startup-config

deny pram startup-config

deny rcp startup-config

deny system startup-config

deny xmodem startup-config

deny ymodem startup-config