Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1603
Views
0
Helpful
5
Replies

How to restrict "Reload" command on some devices

Go to solution
JCRE
Level 1
Level 1

‎06-30-2016 01:43 PM - edited ‎03-10-2019 11:54 PM

Hello, sorry for my English.

We need to restrict the execution of the "Reload" command on certain switches and routers considered Core or concentrators.

I could implement the restriction of the use of command using EEM but I left out a switch 6500, Core of Data Center, because the version of the operating system does not support EEM.

We have configured AAA and do authentication against a TACACS server where users listed there (nonlocal) to access the devices.

In fact, we grant permissions to execute certain commands only via the file "tac_plus.conf" that resides on the TACACS server.

What I could not do is restrict the execution of "Reload" using the same method, only I got doing with EEM on routers and switches critical.

I would like to know if it is possible to restrict the "reload" command on certain devices, configuring the instructions in the "tac_plus.conf" file.

Thank you very much.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-30-2016 01:56 PM

Hi

I've never used in production other tacacs server except Cisco ACS.

However, on your tac_plus.conf, you can create some profiles and deny or permit some commands. Within this profiles, you can do a deny "reload". Have you tried it?

It should looks like:

group = Usercommand {
default service = permit
cmd = no {
deny reload*
....."

On the switch, I assume you have configured the aaa authorization command?

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-30-2016 01:56 PM

Hi

I've never used in production other tacacs server except Cisco ACS.

However, on your tac_plus.conf, you can create some profiles and deny or permit some commands. Within this profiles, you can do a deny "reload". Have you tried it?

It should looks like:

group = Usercommand {
default service = permit
cmd = no {
deny reload*
....."

On the switch, I assume you have configured the aaa authorization command?

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
JCRE
Level 1
Level 1
In response to Francesco Molino

‎07-01-2016 06:21 AM

Hi supportlan,

We use the tac_plus.conf file, through which we allow certain commands, this is part of what we have configured:

monitoring group = {
        #Mesa Monitoring - Use Skey and have allowed commands
        login = skey
        service = exec {
        }
        cmd = set {
        permit terminal
        }
        cmd = interface {
        permit. *
        }
        cmd = ip {
        permit accounting
        }

If I apply the denial of "reload" command as what you suggest, this would apply to all devices on the network, but we just want to do about the devices considered Core.
Am I right?

Yes, I confirm that we have set "aaa authorization command".

This is what we have configured on the switch:

aaa new-model
aaa authentication login default group tacacs Local +
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs Local +
aaa authorization commands 1 default group tacacs + if-authenticated Local
aaa authorization commands 15 default group tacacs + if-authenticated Local

Thanks for your help.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to JCRE

‎07-01-2016 06:50 AM

On ACS it would be possible but don't know on your server. Are you able to define rules on specific nas-ip?

I'm not very familiar with 3rd party tacacs server. As I know you can define rules per user but what about nas-ip (client device)?

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
JCRE
Level 1
Level 1
In response to Francesco Molino

‎07-01-2016 07:28 AM

Hello, I very much appreciate your answer, I believe to be right when I say that if I use "deny" for a command, this applies across the network, therefore I is not helpful to our case.

Anyway, thank you very much for your time and help.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to JCRE

‎07-01-2016 07:36 AM

Across the network, well it depend if you can do rule set bases on nas-ip.

you're very welcome 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Top