topic Re: TACACS in Network Access Control

TACACS

naqibsafi — Tue, 31 May 2022 10:10:03 GMT

hi everyone

i configure AAA all command deny and permit working will but the specific interface not be deny

Mark Elsen — Tue, 31 May 2022 10:30:06 GMT

- On which platform(/model) are you trying this ?

balaji.bandi — Tue, 31 May 2022 10:32:40 GMT

That should work, what ISE version, waht Device is this :

check other example as below :

How do you create TACACS+ policies that can be applied to the Network device?

naqibsafi — Wed, 01 Jun 2022 04:53:27 GMT

i use ISE 3.1

naqibsafi — Wed, 01 Jun 2022 04:53:57 GMT

i use ISE version 3.1

hslai — Thu, 02 Jun 2022 03:13:09 GMT

The argument for the interface should replace / with a space character and G should be in capital, like this:

GigabitEthernet 1 0 1

naqibsafi — Thu, 02 Jun 2022 05:58:07 GMT

I try that command also but not work

hslai — Thu, 02 Jun 2022 16:21:26 GMT

Check the T+ livelog or reports and see how the command is coming in as. You may also try capturing the packets and then AskF5: K40341514: How to decrypt the encrypted portion of TACACS+ traffic.

naqibsafi — Sat, 04 Jun 2022 07:06:29 GMT

T+ live log

hslai — Sun, 05 Jun 2022 22:57:16 GMT

Try

GigabitEthernet 1\/0\/1

marce1000 asked you earlier

> On which platform(/model) are you trying this ?

I tried it in one of our lab pods with a Cisco Catalyst 3650 on IOS-XE 3.6.10E and ISE able to reject a command as expected.

I used two command sets when the user logged-in:

1) helpDeskCmds

2) iosSecCmds

When the user issued a command like "interface g1/0/2" and the authZ failed.

3k-access#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
3k-access(config)#interface g1/0/2
Command authorization failed.

The switch I tested sent the command as "interface GigabitEthernet 1 0 2"

naqibsafi — Wed, 08 Jun 2022 07:43:28 GMT

i try that command in switch 3850 and 3750