Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2032
Views
40
Helpful
5
Replies

excluding tacacs section in show run using AV pairs in ISE?

Go to solution
holger2meyer
Level 1
Level 1

‎10-05-2021 10:49 PM - edited ‎10-05-2021 11:10 PM

Hello,

 

Maybe a silly question but I think it's not possible but it would be nice if we could deny users with RO access to IOS devices to read the tacacs config section, correct? In particular the tacacs-server key. I'm not sure how ISE would process a command request for "show run" when we also define "DENY_ALWAYS tacacs-server" or even "DENY_ALWAYS *tacacs-server"? I take it that the "show run" output will still contian the tacacs-server section, right? Despide that "DENY_ALWAYS tacacs-server" was specified, too. Such that we could achieve something like "show run | exclude tacacs-server"?

Thanks and regards,

Holger

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-06-2021 02:58 AM - edited ‎10-06-2021 03:40 AM

Hi @holger2meyer 

AFAIK you cannot configure TACACS+ to not display certain sections of the running-configuration. You've given me an idea though,   perhaps you could create an alias for "show run | exclude tacacs-server" and permit the user to run the alias command and deny "show run"? I've not tried it myself though.

 

I believe the "tacacs-server" command is depreciated in newer versions and you have to use the syntax "tacacs server <name>". If you were running the new syntax (which you aren't) and used "tacacs server XXXX" which has multiple lines of configuration, that would not work as "exclude" only excludes the line with "tacacs" and not the rest of the configuration.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎10-06-2021 02:58 AM - edited ‎10-06-2021 03:40 AM

Hi @holger2meyer 

AFAIK you cannot configure TACACS+ to not display certain sections of the running-configuration. You've given me an idea though,   perhaps you could create an alias for "show run | exclude tacacs-server" and permit the user to run the alias command and deny "show run"? I've not tried it myself though.

 

I believe the "tacacs-server" command is depreciated in newer versions and you have to use the syntax "tacacs server <name>". If you were running the new syntax (which you aren't) and used "tacacs server XXXX" which has multiple lines of configuration, that would not work as "exclude" only excludes the line with "tacacs" and not the rest of the configuration.

Go to solution
holger2meyer
Level 1
Level 1
In response to Rob Ingram

‎10-06-2021 04:44 AM

Hello Rob,



many thanks for your answer, quite helpful. Might be an idea to use an alias. See, it would be nice to have a way to prevent a given read-only user group from seeing type 7 keys/password hashes when issuing a "show run" like they are still in use once in a while for tacacs or NTP keys in older ISO versions. Not to mention the BGP neighbor password.



Regards,

Holger

Go to solution
holger2meyer
Level 1
Level 1
In response to Rob Ingram

‎10-06-2021 05:08 AM

Hi Rob,



that's the plan but the installation spans several thousand devices... it'll take the team some time to migrate. Would be nice to have a fix for the time being. And, to my knowledge BGP still only supports md5 (correct me if I'm wrong).



Regards,

Holger


Go to solution
Rob Ingram
VIP
VIP
In response to holger2meyer

‎10-06-2021 05:23 AM

Hi @holger2meyer 

Ok I understand. According to the second link provided above, BGP MD5 authentication passwords will not be converted to Type 6, but recommends to use BGP TCP Authentication Option. Or just try the alias workaround for TACACS.

 

HTH

 

Customers Also Viewed These Support Documents