Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
2
Replies

How to use a macro with AAA Authorization set?

Erik
Level 1
Level 1

‎06-21-2013 10:28 AM - edited ‎03-10-2019 08:34 PM

So!

We have ACS version 4.1, and one goal is to start working on authorization sets for groups. I am able to get basic commands to work, but was curious about making a macro work without having to allow all of the commands that are actually contained wihtin the macro itself.

I'm looking into this to promote standardization and minimize confiugration issues/inconsistencies on ports accross swtiches in our environment.

The macro I created is used for configuring a port on a swtich to change its VLAN.  Basically as follows:

macro name T2

Description $DESC

switchport mode access

no cdp enable

switchport access vlan $STATIC

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

storm-control broadcast level 25.00

storm-control action trap

switchport nonegotiate

no lldp transmit

no lldp receive

#macro keywords $DESC $STATIC

In ACS I've created a shell command authorization set, and allowed 'macro' with 'permit apply T2' and 'permit trace T2'.  This works fine and allows me to use those macro commands.  The problem I'm having is that every command in the macro is not allowed in the authorization set, so when I run the macro it fails for each command.

I don't want to allow each individual command in the authorization set as it would then allow jr. admins the ability to make config changes on ports that would be outside of our standard.  For example they could get into a port and forget to disable CDP and LLDP, casuing inconsistencies accross the envrionment.  Is there a way to run these macros without putting all of the commands in the authorization set?

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Ravi Singh
Level 7
Level 7

‎06-25-2013 01:06 AM

Hello Eric,

Please see the below link for configuring Macro and how you can use them with AAA

http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html

0 Helpful

jean1
Level 1
Level 1
In response to Ravi Singh

‎08-02-2018 06:34 AM

Hello,

I have already the same problem, and i don't find a solution, except authorize all commands in "commands sets" for a macro in ACS or ISE. Can you tell me if you have another solution ? Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents