Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1403
Views
5
Helpful
3
Replies

Cisco ISE 3.1 command set issues NEED HELP!!

fpizano1
Level 1
Level 1

‎05-30-2023 08:22 AM

I am trying to configure certain command sets in ISE 3.1.

I need the user to only shut and no shut ports. I can't seem to get the correct syntax. The commands I have allowed work if I remove config t from command list it works. How can I make it so only shut and no shut interface work while in config t? Each time I tried it allows you to create VLANS so what I am using is wrong.

 

fpizano1_0-1685460075980.png

I know command set works when I remove config t from above I get this. I just cant get to to only allow shut no shut.

 

iaXXXX-lab-s1#sh privilege
Current privilege level is 15
iaceda-lab-s1#conf t
Command authorization failed.

 

 

 

0 Helpful
3 Replies 3

mitchp75
Level 1
Level 1

‎05-30-2023 01:31 PM - edited ‎05-30-2023 03:15 PM

We have our Tier 2 team set up to add vlans if needed but the other commands below seem to be working fine for us.

mitchp75_0-1685478566895.png

 

Arne Bier
VIP
VIP

‎05-30-2023 01:42 PM - edited ‎05-30-2023 02:53 PM

TACACS+ command authorization is good fun. The way to think about the config in the AAA server is this: The entire command and its arguments are sent to the AAA server when the user presses Enter. You process each line as it comes in. 

But there are some things to remember:

1) Command syntax uses widlcards (the simple * and ? placeholders)

2) Argument syntax uses regular expressions (regular expressions, e.g. [a-zA-Z] etc)

3) The IOS interpreter will always send the full command and arguments to the AAA server -e.g. if a user types an abbreviated command like "conf t" then the interpreter will send "configuration terminal" - this is important because you (AAA admin) don't need to worry about processing shortcuts. Use the full command name in the "command' argument.

So I would do this

 

 

GRANT      COMMAND           ARGUMENT
permit     configure        terminal
permit     interface
permit     shutdown
permit     exit
permit     show              interface
permit     no                shutdown
permit     end

 

 

The above means that you are permitted to enter these commands no matter which section of the CLI you are in. But we are only allowing the user to get into config mode (and to exit config mode) and then to enter the interface sub-section. User could enter the command "shutdown" in the global config (it's allowed by ISE with our config) but the command makes no sense in global config. It only makes sense in the interface sub-section. But ISE has no awareness of how the IOS CLI hierarchy works - nor does it need to. Just test to make sure the user can't do anything crazy.

Anything that does not have a permit will be denied. 

"no" is also a command - we can limit that to only allow the negation of the shutdown function.

tacacs-juniorops.png

 

 

 

minas.balaskas
Level 1
Level 1

‎06-09-2023 01:03 AM

Hello All , 

Which privilege you give on the profile for the specific group ? privilege 15 ?

Thank you 

0 Helpful
Customers Also Viewed These Support Documents