cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2220
Views
40
Helpful
5
Replies

excluding tacacs section in show run using AV pairs in ISE?

holger2meyer
Level 1
Level 1

Hello,

 

Maybe a silly question but I think it's not possible but it would be nice if we could deny users with RO access to IOS devices to read the tacacs config section, correct? In particular the tacacs-server key. I'm not sure how ISE would process a command request for "show run" when we also define "DENY_ALWAYS tacacs-server" or even "DENY_ALWAYS *tacacs-server"? I take it that the "show run" output will still contian the tacacs-server section, right? Despide that "DENY_ALWAYS tacacs-server" was specified, too. Such that we could achieve something like "show run | exclude tacacs-server"?

Thanks and regards,

Holger

1 Accepted Solution

Accepted Solutions

Hi @holger2meyer 

AFAIK you cannot configure TACACS+ to not display certain sections of the running-configuration. You've given me an idea though,   perhaps you could create an alias for "show run | exclude tacacs-server" and permit the user to run the alias command and deny "show run"? I've not tried it myself though.

 

I believe the "tacacs-server" command is depreciated in newer versions and you have to use the syntax "tacacs server <name>". If you were running the new syntax (which you aren't) and used "tacacs server XXXX" which has multiple lines of configuration, that would not work as "exclude" only excludes the line with "tacacs" and not the rest of the configuration.

View solution in original post

5 Replies 5

Hi @holger2meyer 

AFAIK you cannot configure TACACS+ to not display certain sections of the running-configuration. You've given me an idea though,   perhaps you could create an alias for "show run | exclude tacacs-server" and permit the user to run the alias command and deny "show run"? I've not tried it myself though.

 

I believe the "tacacs-server" command is depreciated in newer versions and you have to use the syntax "tacacs server <name>". If you were running the new syntax (which you aren't) and used "tacacs server XXXX" which has multiple lines of configuration, that would not work as "exclude" only excludes the line with "tacacs" and not the rest of the configuration.

Hello Rob,



many thanks for your answer, quite helpful. Might be an idea to use an alias. See, it would be nice to have a way to prevent a given read-only user group from seeing type 7 keys/password hashes when issuing a "show run" like they are still in use once in a while for tacacs or NTP keys in older ISO versions. Not to mention the BGP neighbor password.



Regards,

Holger

Hi Rob,



that's the plan but the installation spans several thousand devices... it'll take the team some time to migrate. Would be nice to have a fix for the time being. And, to my knowledge BGP still only supports md5 (correct me if I'm wrong).



Regards,

Holger


Hi @holger2meyer 

Ok I understand. According to the second link provided above, BGP MD5 authentication passwords will not be converted to Type 6, but recommends to use BGP TCP Authentication Option. Or just try the alias workaround for TACACS.

 

HTH