07-17-2019 02:12 AM
Hello,
i have create some commands profile to limits my helpdesk users but it didn't work :
i want to give him access and manipulate all interfaces of my cisco switch and deny him access to the interface g1/2.
here is the command i do on ise TACACS Command Sets :
DENY_ALWAYS interface Gi1/2
is that possible
Thanks
Solved! Go to Solution.
07-18-2019 05:49 AM
I saw similar results but I don't fully understand why.
Then I found a tip in a very old thread. https://ieoc.com/discussion/4666/aaa-authorization-commands
It tells us we need to add the line "aaa authorization config-commands". I did that and voila!
ccielab-3560cx(config)#aaa authorization config-commands ccielab-3560cx(config)#end ccielab-3560cx#wr mem Building configuration... [OK] ccielab-3560cx#exit Connection closing...Socket close. Connection closed by foreign host. Disconnected from remote host(172.31.1.4:22) at 20:42:57. Type `help' to learn how to use Xshell prompt. [C:\~]$ ssh marvin-ltd@172.31.1.4 Connecting to 172.31.1.4:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. ccielab-3560cx#conf t Enter configuration commands, one per line. End with CNTL/Z. ccielab-3560cx(config)#int gi0/2 Command authorization failed. ccielab-3560cx(config)#int gi0/3 ccielab-3560cx(config-if)#
My command set that is allowed in the Authorization rule looks like this:
Here is my Authorization policy:
07-17-2019 08:46 AM
I tried recreating your problem and encounter the same error.
I created a limited access user and confirmed they get assigned that authorization result. My command set says to deny all where command is interface and parameter is GigabitEthernet 0/2. I tried several variations of the parameter but they all continue to mistakenly allow the command.
I looked at this example for reference:
..using the bits in table under "iosSecCmds Command set".
07-18-2019 01:57 AM
Hi Marvin,
thak you for your reply,
on the switch i activate the debug of aaa authentication and authorisation to see what happen and i have this when i type for exemple shutdown and no shutdown :
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV service=shell
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd=no
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd-arg=shutdown
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd-arg=<cr>
6d23h: TAC+: (1016080000): received author response status = PASS_ADD
But when i i tape the command interface Gigaethernet 1/2 , there is no line of debug authentication or authorisation;
is that ordinaire behavior or not ?
thanks.
07-18-2019 05:49 AM
I saw similar results but I don't fully understand why.
Then I found a tip in a very old thread. https://ieoc.com/discussion/4666/aaa-authorization-commands
It tells us we need to add the line "aaa authorization config-commands". I did that and voila!
ccielab-3560cx(config)#aaa authorization config-commands ccielab-3560cx(config)#end ccielab-3560cx#wr mem Building configuration... [OK] ccielab-3560cx#exit Connection closing...Socket close. Connection closed by foreign host. Disconnected from remote host(172.31.1.4:22) at 20:42:57. Type `help' to learn how to use Xshell prompt. [C:\~]$ ssh marvin-ltd@172.31.1.4 Connecting to 172.31.1.4:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. ccielab-3560cx#conf t Enter configuration commands, one per line. End with CNTL/Z. ccielab-3560cx(config)#int gi0/2 Command authorization failed. ccielab-3560cx(config)#int gi0/3 ccielab-3560cx(config-if)#
My command set that is allowed in the Authorization rule looks like this:
Here is my Authorization policy:
07-21-2019 06:58 AM
Hi Marvin,
I thank you very match that was very helpfull, it was that command missed on my configuration and now it work fine.
just for the rule on ISE, for me i did Deny alwys interface Gigabitethernet 1/2 not Gigabitethernet 1 2 like you did!!?
thank you again.
07-21-2019 07:14 AM
OK - you're welcome. It was a fun one to troubleshoot.
I used the "0 2" syntax in my case since when I was troubleshooting using packet capture I saw the authorization request come through following that convention. I think perhaps the system parses out the "/" character so you can enter it with or without that and get the same result.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: