07-09-2018 01:06 AM - edited 08-23-2018 10:45 PM
Hello Experts
My customer wants to have user profile with command restrictions as mentioned in below table. Network device is Cisco Nexus 7000.
Basically customer wants to restrict some users to only certain configuration tasks. However we are not sure if in ACS we can configure restrictions for sub-config mode level. Example in interface configuration mode, user can only shut or no shut the interface. Similarly for BGP configuration mode as shown below. They are using ACS v5.6 as TACACS server.
Please suggest as to how this can be achieved.
Solved! Go to Solution.
07-09-2018 10:04 AM
HI Amit,
Suggest starting to look at ACS configuration guide for shell and command authorization first
There are a few things you have to do in TACACS+
Authentication, Shell authorization, command authorization and accounting.
Here are specifics on shell and command authorization since they use wild card operators(command sets). You need to understand the syntax and how to do it
Here is a snippet of configuration in Nexus 7k
When you are configuring commands sets, it uses the format command and argument, so you have to stack the commands for the script to run sequentially, remember these commands are sent from Nexus to ACS for authorization.
eg: So you can do command config t
then you can do interface gi1/0
then you can do the sub-interface commands.
Please test out the command sets. You have to use wild cards correctly. Try it out and see.
Finally there is a TACACS+ guide for ISE for Nexus. You can use this to understand the rules for creating shell profiles and commands sets since they are the same. Take a look at it.
ISE Device Administration (TACACS+)
Thanks
Krishnan
07-09-2018 10:04 AM
HI Amit,
Suggest starting to look at ACS configuration guide for shell and command authorization first
There are a few things you have to do in TACACS+
Authentication, Shell authorization, command authorization and accounting.
Here are specifics on shell and command authorization since they use wild card operators(command sets). You need to understand the syntax and how to do it
Here is a snippet of configuration in Nexus 7k
When you are configuring commands sets, it uses the format command and argument, so you have to stack the commands for the script to run sequentially, remember these commands are sent from Nexus to ACS for authorization.
eg: So you can do command config t
then you can do interface gi1/0
then you can do the sub-interface commands.
Please test out the command sets. You have to use wild cards correctly. Try it out and see.
Finally there is a TACACS+ guide for ISE for Nexus. You can use this to understand the rules for creating shell profiles and commands sets since they are the same. Take a look at it.
ISE Device Administration (TACACS+)
Thanks
Krishnan
07-09-2018 09:52 PM
Thank you Krishnan for your response and all the information.
I had a quick read though relevant pointers you provided..
Let me reiterate customer requirements for Security Ops user,
From your earlier reply, it appears your suggesting to add below commands set will acheive the point 2 and 3 mentioned above.
action | Command | Argument |
permit | interface ethernet | * |
permit | shutdown | |
permit | no shutdown | |
permit | router bgp | * |
permit | neighbor | * |
permit | shutdown | |
permit | no shutdown |
Additionally to achieve above requirement, I am thinking I need to use system defined privilege role ( priv-0). Or do I need to manually define role on the N7k switch.
Looking for your valuable inputs.
Also unfortunately, customer does not have test setup. Will it be possible for someone in BU to test?
Regards
Amit
07-10-2018 09:53 PM
Hi Krishnan,
Could you please confirm if my below understanding is correct.
1. Privilege level does not come into play with using command sets ( per command authorization).
2. NXOS command hierarchy does not matter. Per command will be authorized so as long as command sequence in command sets is appropriate, it will work.
Customer use profile requirement:
Operations L2 | Priviledge level - 0 | ping * ping6 * traceroute * show * telnet telnet6 ssh ssh6 configuration t | permit | terminal width terminal length clear bgp * soft router bgp * neighbor * shut/no shut interface * shut/ no shut |
To achieve this we can use the command sets as below. Please let me know if you agree.
action | Command | Argument |
permit | ping | * |
permit | ping6 | * |
permit | traceroute | * |
permit | show | * |
permit | telnet | * |
permit | telnet6 | * |
permit | ssh | |
permit | ssh6 | |
permit | configuration terminal | |
permit | interface ethernet | * |
permit | shutdown | |
permit | no shutdown | |
permit | router bgp | * |
permit | neighbor | * |
permit | shutdown | |
permit | no shutdown |
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide