cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1293
Views
0
Helpful
1
Replies

ISE Command Set Not Working as Expected

magates
Level 1
Level 1

I have a command set for some technicians that we grant fewer commands to, and am trying to limit specific commands, but it is not working as expected for some of them. Note that I am testing this with a user in the correct identity group that is given the correct command set and shell profile.

Example: We do not want them making changes to port-channels, so I have Deny | int* | po.* and it is the first rule in the command set. An account assigned to that profile is still able to issue the command:
     switch (config) # int port-channel 1
I have also tried Deny | int* | port-channel * with the same result.

Example 2: We do not want them assigning a port-security maximum of more than 2, so I have
     Allow | sw* | po.* m.* [1-3] as a rule, and directly under it Deny | sw* | po.* m.*
I have also tried Deny | sw* | po.* m.* and Deny | sw* | port-security maximum *
as the very first rule in the command set, and the account can still issue the command:
     switch (config-if) # switchport port-security maximum 8
in any of those 3 scenarios.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Below working for me.

  1. To Deny commands such as int port-channel 1
    • Grant: DENY_ALWAYS
    • Command: interface
    • Arguments: Port-channel
    • Use DENY_ALWAYS to disregard the ordering of the command sets.
  2. To Permit commands switchport port-secuity maximum 1 to 3
    • Grant: PERMIT
    • Command: switchport
    • Arguments: port-security maximum [1-3]
  3. To Deny commands switchport port-security maximum > 4
    • Grant: DENY_ALWAYS
    • Command: switchport
    • Arguments: port-security maximum ([4-9]|[0-9]{2,4})
    • This denies a single numeric 4~9 or 2~4 numeric digits; use DENY_ALWAYS to disregard the ordering of the command sets; if using DENY instead of DENY_ALWAYS, then this line needs to be after the permit one and the arguments can be simply "port-security maximum"

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

Below working for me.

  1. To Deny commands such as int port-channel 1
    • Grant: DENY_ALWAYS
    • Command: interface
    • Arguments: Port-channel
    • Use DENY_ALWAYS to disregard the ordering of the command sets.
  2. To Permit commands switchport port-secuity maximum 1 to 3
    • Grant: PERMIT
    • Command: switchport
    • Arguments: port-security maximum [1-3]
  3. To Deny commands switchport port-security maximum > 4
    • Grant: DENY_ALWAYS
    • Command: switchport
    • Arguments: port-security maximum ([4-9]|[0-9]{2,4})
    • This denies a single numeric 4~9 or 2~4 numeric digits; use DENY_ALWAYS to disregard the ordering of the command sets; if using DENY instead of DENY_ALWAYS, then this line needs to be after the permit one and the arguments can be simply "port-security maximum"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: