06-21-2013 10:28 AM - edited 03-10-2019 08:34 PM
So!
We have ACS version 4.1, and one goal is to start working on authorization sets for groups. I am able to get basic commands to work, but was curious about making a macro work without having to allow all of the commands that are actually contained wihtin the macro itself.
I'm looking into this to promote standardization and minimize confiugration issues/inconsistencies on ports accross swtiches in our environment.
The macro I created is used for configuring a port on a swtich to change its VLAN. Basically as follows:
macro name T2
Description $DESC
switchport mode access
no cdp enable
switchport access vlan $STATIC
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 25.00
storm-control action trap
switchport nonegotiate
no lldp transmit
no lldp receive
#macro keywords $DESC $STATIC
In ACS I've created a shell command authorization set, and allowed 'macro' with 'permit apply T2' and 'permit trace T2'. This works fine and allows me to use those macro commands. The problem I'm having is that every command in the macro is not allowed in the authorization set, so when I run the macro it fails for each command.
I don't want to allow each individual command in the authorization set as it would then allow jr. admins the ability to make config changes on ports that would be outside of our standard. For example they could get into a port and forget to disable CDP and LLDP, casuing inconsistencies accross the envrionment. Is there a way to run these macros without putting all of the commands in the authorization set?
06-25-2013 01:06 AM
Hello Eric,
Please see the below link for configuring Macro and how you can use them with AAA
08-02-2018 06:34 AM
Hello,
I have already the same problem, and i don't find a solution, except authorize all commands in "commands sets" for a macro in ACS or ISE. Can you tell me if you have another solution ? Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: