topic Re: Tacas+ limit specific commands under one command layer in Network Access Control

Tacas+ limit specific commands under one command layer

yongwli — Tue, 11 Dec 2018 14:16:18 GMT

Hi Experts,

Our customer would like to use ISE (TACACS) to control the CLI command authorization.

However, they are using HUAWEI data center switch, and they want to limit “shutdown” command under ospf process, but allow this command under interface configuration, for example:

Interface 10GE1/1/1

shutdown ## Legal command

ospf 1

shutdown ## Illegal command, disallowed.

Can ISE satisfy this requirement?

Re: Tacas+ limit specific commands under one command layer

Surendra — Tue, 11 Dec 2018 14:26:52 GMT

A command is a command for ISE. There is no provision in TACACS+ Protocol to mention the mode under which this is being executed. Network device sends the command and the arguments and ISE will simply do a regex match.

Re: Tacas+ limit specific commands under one command layer

yongwli — Wed, 12 Dec 2018 06:14:18 GMT

thank you

Re: Tacas+ limit specific commands under one command layer

paul — Wed, 12 Dec 2018 15:42:17 GMT

While a command is a command so you can't tell where the shutdown is being issued you can definitely control access to the modes. Simply don't allow the user into OSPF or more to the point only allow them into "interface gig*".

Also just for clarification you don't need to put "*" in the arguments. If you don't put anything in there it assumes all arguments.

Re: Tacas+ limit specific commands under one command layer

Eric R. Jones — Wed, 12 Dec 2018 23:25:53 GMT

Hello, I read your post and I'm dealing with something similar with ISE and ACS TACACS+ Command Sets. I need to restrict Tier1 and Tier2 Admins from specific interfaces. Prior to now I use deny int* g*1/1/1, deny int* g*1/1/2 etc.. being specific to each interface; however, that no longer works. I created a few regex e.g. g?*^([1-4]\/[1-4]\/[1-4])& and it works in regex101.com however it's unrecognized in ACS or ISE command sets. All Cisco documentation points to this being a properly formatted regex.

1. Is there a difference between how ISE handles regex in Command Sets?

2. Is there a definitive document on regex for Cisco devices?

Re: Tacas+ limit specific commands under one command layer

Surendra — Thu, 13 Dec 2018 06:45:02 GMT

This Regex is not valid g?*^([1-4]\/[1-4]\/[1-4]).

? is not quantifiable.

Re: Tacas+ limit specific commands under one command layer

Eric R. Jones — Thu, 13 Dec 2018 06:55:25 GMT

Should "?" be replace with "." to denote a single character?

So the regex reads starting with g any other valid character and in the second position and any number of characters after that?

I was reading the using g* would only look for a continuous repeat of the letter g.

Re: Tacas+ limit specific commands under one command layer

Surendra — Thu, 13 Dec 2018 07:08:02 GMT

g.* is the right way to do it.

Re: Tacas+ limit specific commands under one command layer

Eric R. Jones — Tue, 29 Jan 2019 03:10:22 GMT

Found what I was looking for.

It doesn't work under ACS Command sets but it works under ISE so that's good enough for me.

Re: Tacas+ limit specific commands under one command layer

Eric R. Jones — Sat, 16 Mar 2019 01:14:23 GMT

Very late update here but I did find the solution I was looking for to put in the command set on ISE.

deny interface gigabitethernet [1-4]/1/[1-4]

permit interface gigabitethernet [1-4]/0/[1-4]

I danced around this config with all manner of regex format