Hello grnetcomss,You probably

Report Inappropriate Content · ‎02-02-2011

Let's say you a user to be able to go into interface mode to change a vlan, however you only want them to be able to issue "int gig x/x/x" or "int fa x/x" & nothing else...???

So my comand set looks like the following:

Grant Command Arguments

permit interface

So basically they can do anything under the interface command, however since that opens up a lot of other choices (i.e. int po10) we don't want this particular level user to have access too...

So I tried the following with no sucess...

Grant Command Arguments

permit interface fastethernet

permit interface gigabitethernet

Problem is, the user can only do "int fa0/x"... they can't issue "int gig x/x/x".. ironcially, even when i switched the commands around they still couldn't issue "int gig x/x/x".... (wasn't sure if this was like an ACL & since it found a match on fa it wouldn't go to the next arguement)...

So that brings up question 2... What if we want to keep them from being able to access the uplinks ports... (lets assume all of the uplink ports are in gig uplink ports & not randomly on the switch... lol...)??? Meaning they could access fa0/1 - 48 or gig 1/0/1 - 1/0/48 but not gig 1/0/49 - 52 for example... how would i do that in ACS 5.2?

Jatin Katyal · ‎02-02-2011

Have you checked that for multiple arguments

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1123564

Note: All arguments are Case insensitivity so type the exect argument the one you see in passed/failed authentication of ACS.

Rgds,

Jatin

Do rate helpful posts~

~Jatin

Report Inappropriate Content · ‎02-03-2011

Thanks for the link...

I wish the example was a little more in depth though...

I'm not following what this statement in the documentation is really saying...

{)* means a list in {} with zero or more entries of the object defined inside the {}. It means that a command list may have zero or more commands.

I tried...

Grant Command Arguments

Permit interface fa* [0]/[0-22]

Command authorization failed trying to get to any interface

Grant Command Arguments

Permit interface fa* 0/*

Allows access to any interface

Grant Command Arguments

Permit interface fa* 0/[0-22]

Permit interface fa* 0/0-22

Command authorization failed trying to get to any interface

So if you can point me in the right direction on the wildcards in the arguments statement, if you can provide an example of how you would only allow access to to gig 1/0/1 - 48 for example...

Jagdeep Gambhir · ‎02-03-2011

Please reffer to this doc,

https://supportforums.cisco.com/docs/DOC-8572

If you are not sure about the syntax, best way is to check tacacs authorization logs and see how Command is sent by aaa-client. Copy the command and put in the command set.

Example

If you see this in tacacs authorization

[ CmdAV=show ip interface brief ]

[CmdAV=interface fastEthernet0/0/1 ]

Configure ACS like,

Grant=Permit

command = show

Argument = ip interface brief

Grant=Permit

command = interface

Argument= fastEthernet0/0/1

Hope that helps!

Regards,

~JG

Do rate helpful posts

Report Inappropriate Content · ‎02-04-2011

thanks for the responses.... let me clarify my original question...

I have everything working with tacacs & the restriction of different teirs of users.. I can enter a permit-------->interface----------->fa*........ That allows access to any fastethernet connection but what i am specifically asking is how to limit the user to only ports 1-24 for example... Let's say we don't want a help desk type engineer accidently shutdown an uplink port... sorry if my original request wasn't clear...

edwardcollins7 · ‎05-26-2014

How many total FA ports do you have on the switch?

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

CSCO12190770 · ‎05-16-2017

Hi,

Facing same issue in ISE command sets also, did you get answer. tried searching many doc. still it's not resolved. Pls help to resolve this.

Regards,

Naveen.R.B

Kamal Machareka · ‎05-20-2014

Hello grnetcomss,

You probably figured this out already but I hope this helps others like you (three years ago) and me (few days ago) who have similar challenges :)

The following worked for me;

Grant Command Arguments

deny interface serial

deny interface port-channel

permit interface

In order to lock down access to uplink ports;

deny interface GigabitEthernet 1/0/25

deny interface GigabitEthernet 1/0/26

That's for a 24 port switch I have with two SFP uplinks in the channel. I suspect you have a mix of 24 and 48 port switches which will make the ACS configuration a bit more complicated. You have to break your switches into different groups and apply different commands sets to each group based on port counts and types...

It does appear that if you match a permit, the following arguments are overlooked, so make sure the specific denies are up on the list.

Hope this helps!

Regards,

Kamal

ACS 5.2 Command sets - mulitple arguments?