02-02-2011 12:46 PM - last edited on 03-10-2019 05:47 PM by NikolaIvanov
Let's say you a user to be able to go into interface mode to change a vlan, however you only want them to be able to issue "int gig x/x/x" or "int fa x/x" & nothing else...???
So my comand set looks like the following:
Grant Command Arguments
permit interface
So basically they can do anything under the interface command, however since that opens up a lot of other choices (i.e. int po10) we don't want this particular level user to have access too...
So I tried the following with no sucess...
Grant Command Arguments
permit interface fastethernet
permit interface gigabitethernet
Problem is, the user can only do "int fa0/x"... they can't issue "int gig x/x/x".. ironcially, even when i switched the commands around they still couldn't issue "int gig x/x/x".... (wasn't sure if this was like an ACL & since it found a match on fa it wouldn't go to the next arguement)...
So that brings up question 2... What if we want to keep them from being able to access the uplinks ports... (lets assume all of the uplink ports are in gig uplink ports & not randomly on the switch... lol...)??? Meaning they could access fa0/1 - 48 or gig 1/0/1 - 1/0/48 but not gig 1/0/49 - 52 for example... how would i do that in ACS 5.2?
02-02-2011 09:05 PM
Have you checked that for multiple arguments
Note: All arguments are Case insensitivity so type the exect argument the one you see in passed/failed authentication of ACS.
Rgds,
Jatin
Do rate helpful posts~
02-03-2011 10:14 AM
Thanks for the link...
I wish the example was a little more in depth though...
I'm not following what this statement in the documentation is really saying...
{)* means a list in {} with zero or more entries of the object defined inside the {}. It means that a command list may have zero or more commands.
I tried...
Grant Command Arguments
Permit interface fa* [0]/[0-22]
Command authorization failed trying to get to any interface
Grant Command Arguments
Permit interface fa* 0/*
Allows access to any interface
Grant Command Arguments
Permit interface fa* 0/[0-22]
Permit interface fa* 0/0-22
Command authorization failed trying to get to any interface
So if you can point me in the right direction on the wildcards in the arguments statement, if you can provide an example of how you would only allow access to to gig 1/0/1 - 48 for example...
02-03-2011 04:01 PM
Please reffer to this doc,
https://supportforums.cisco.com/docs/DOC-8572
If you are not sure about the syntax, best way is to check tacacs authorization logs and see how Command is sent by aaa-client. Copy the command and put in the command set.
Example
If you see this in tacacs authorization
[ CmdAV=show ip interface brief ]
[CmdAV=interface fastEthernet0/0/1 ]
Configure ACS like,
Grant=Permit
command = show
Argument = ip interface brief
Grant=Permit
command = interface
Argument= fastEthernet0/0/1
Hope that helps!
Regards,
~JG
Do rate helpful posts
02-04-2011 06:21 AM
thanks for the responses.... let me clarify my original question...
I have everything working with tacacs & the restriction of different teirs of users.. I can enter a permit-------->interface----------->fa*........ That allows access to any fastethernet connection but what i am specifically asking is how to limit the user to only ports 1-24 for example... Let's say we don't want a help desk type engineer accidently shutdown an uplink port... sorry if my original request wasn't clear...
05-26-2014 07:28 AM
How many total FA ports do you have on the switch?
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed
05-16-2017 05:11 AM
Hi,
Facing same issue in ISE command sets also, did you get answer. tried searching many doc. still it's not resolved. Pls help to resolve this.
Regards,
Naveen.R.B
05-20-2014 04:19 PM
Hello grnetcomss,
You probably figured this out already but I hope this helps others like you (three years ago) and me (few days ago) who have similar challenges :)
The following worked for me;
Grant Command Arguments
deny interface serial
deny interface port-channel
permit interface
In order to lock down access to uplink ports;
deny interface GigabitEthernet 1/0/25
deny interface GigabitEthernet 1/0/26
That's for a 24 port switch I have with two SFP uplinks in the channel. I suspect you have a mix of 24 and 48 port switches which will make the ACS configuration a bit more complicated. You have to break your switches into different groups and apply different commands sets to each group based on port counts and types...
It does appear that if you match a permit, the following arguments are overlooked, so make sure the specific denies are up on the list.
Hope this helps!
Regards,
Kamal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide