topic ISE 2.2 command authorization based on submode in Network Access Control

ISE 2.2 command authorization based on submode

Chun-Taek Park — Wed, 28 Feb 2018 07:12:52 GMT

Hi Expert

I am testing ISE 2.2 Device admin(TACACS+) with Nexus platform.

I want to apply command authorization based on sub command mode per account(identity).

below is example I want to do.

Goal Summary

only restrict 'shutdown' command on interface config mode, not BGP config mode per account(identity).
basically, If I define deny 'shutdown' command on command set, this command sets applied all command mode like interface, BGP etc. but I want to restrict this command only on interface sub command mode.

Example

restrict 'shutdown' command on interface config mode
permit 'shutdown' command on BGP config mode

NX-OS(config)# interface ethernet 1/1

NX-OS(config-if)# shutdown ==> restrict

NX-OS(config-if)# exit

NX-OS(config)# router bgp 65001

NX-OS(config-router)# shutdown ==> permit

NX-OS(config-router)# neighbor 1.1.1.1

NX-OS(config-router-neighbor)# shutdown ==> permit

OR

restrict 'shutdown' command on interface config mode, BGP process config mode
permit 'shutdown' command on BGP neighbor config mode

NX-OS(config)# interface ethernet 1/1

NX-OS(config-if)# shutdown ==> restrict

NX-OS(config-if)# exit

NX-OS(config)# router bgp 65001

NX-OS(config-router)# shutdown ==> restrict

NX-OS(config-router)# neighbor 1.1.1.1

NX-OS(config-router-neighbor)# shutdown ==> permit

Do you have any idea to do this ?

Regards,

Re: ISE 2.2 command authorization based on submode

ldanny — Wed, 28 Feb 2018 07:20:31 GMT

I *think* its only possible to accomplish by stating the exact port in your restrict commands.

Iet me check on this and update.

Re: ISE 2.2 command authorization based on submode

Chun-Taek Park — Fri, 02 Mar 2018 01:01:53 GMT

Hi ldanny

Thanks and do you have any update?

Regards,

Re: ISE 2.2 command authorization based on submode

hslai — Fri, 02 Mar 2018 04:03:44 GMT

I concurred with Danny's.

With T+ command authorization, the command sends to ISE will be "shutdown" without the context. If it applicable, you could simply restrict on command "interface".

NX-OS can also authorize users based on their user roles. In How To: ISE TACACS+ Configuration for Cisco NX-OS Network Devices, I gave one example.

role name demo-security
description A user-defined role example for demo purposes
rule 10 permit read-write feature interface
interface policy deny
permit interface Vethernet1

As I am no expert on NX-OS, I would suggest you to consult Nexus or NX-OS support teams for further guidance.