topic Re: Cisco ISE 3.1 command set issues NEED HELP!! in Network Access Control

Cisco ISE 3.1 command set issues NEED HELP!!

fpizano1 — Tue, 30 May 2023 15:22:40 GMT

I am trying to configure certain command sets in ISE 3.1.

I need the user to only shut and no shut ports. I can't seem to get the correct syntax. The commands I have allowed work if I remove config t from command list it works. How can I make it so only shut and no shut interface work while in config t? Each time I tried it allows you to create VLANS so what I am using is wrong.

I know command set works when I remove config t from above I get this. I just cant get to to only allow shut no shut.

iaXXXX-lab-s1#sh privilege
Current privilege level is 15
iaceda-lab-s1#conf t
Command authorization failed.

Re: Cisco ISE 3.1 command set issues NEED HELP!!

mitchp75 — Tue, 30 May 2023 22:15:57 GMT

We have our Tier 2 team set up to add vlans if needed but the other commands below seem to be working fine for us.

Re: Cisco ISE 3.1 command set issues NEED HELP!!

Arne Bier — Tue, 30 May 2023 21:53:29 GMT

TACACS+ command authorization is good fun. The way to think about the config in the AAA server is this: The entire command and its arguments are sent to the AAA server when the user presses Enter. You process each line as it comes in.

But there are some things to remember:

1) Command syntax uses widlcards (the simple * and ? placeholders)

2) Argument syntax uses regular expressions (regular expressions, e.g. [a-zA-Z] etc)

3) The IOS interpreter will always send the full command and arguments to the AAA server -e.g. if a user types an abbreviated command like "conf t" then the interpreter will send "configuration terminal" - this is important because you (AAA admin) don't need to worry about processing shortcuts. Use the full command name in the "command' argument.

So I would do this

GRANT COMMAND ARGUMENT permit configure terminal permit interface permit shutdown permit exit permit show interface permit no shutdown permit end

The above means that you are permitted to enter these commands no matter which section of the CLI you are in. But we are only allowing the user to get into config mode (and to exit config mode) and then to enter the interface sub-section. User could enter the command "shutdown" in the global config (it's allowed by ISE with our config) but the command makes no sense in global config. It only makes sense in the interface sub-section. But ISE has no awareness of how the IOS CLI hierarchy works - nor does it need to. Just test to make sure the user can't do anything crazy.

Anything that does not have a permit will be denied.

"no" is also a command - we can limit that to only allow the negation of the shutdown function.

Re: Cisco ISE 3.1 command set issues NEED HELP!!

minas.balaskas — Fri, 09 Jun 2023 08:03:25 GMT

Hello All ,

Which privilege you give on the profile for the specific group ? privilege 15 ?

Thank you