Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2899
Views
11
Helpful
3
Replies

In Command Authorization want to Block some specific command of Config mode through ISE

Go to solution
gurbinder.kabbay
Level 1
Level 1

‎09-17-2020 11:10 PM

Hi Experts,

 

I want to restrict few commands on Router/ Switch in config mode. means for some specific group. I want they can do normal config , but will not be able to change other sensitive config like enable password, line vty, aaa etc.

 

I tried it though by TACACS command set in ISE , but when i tried to run the blocked command on device in Configure terminal, its working, which i do not want. it seems after entering into config mode this TACACS  command set is not working for this particular group. 

Moreover, I blocked enable mode command i.e reload there, its blocked, but I am unable to block some specific configure terminal commands.

 

kindly help me to achieve this.

 

Regards,

Gurbinder

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rschlayer
Level 4
Level 4

‎09-18-2020 06:39 AM

Hello @gurbinder.kabbay ,

 

you should be able to deny the commands in the tacacs command set.

Make sure you configure the router/switch with the corresponding aaa authorization commands. I believe you must have the following configured as well:

aaa authorization config-commands

 My config looks like this (we push priv via ISE too):

aaa authorization config-commands
aaa authorization exec default group ISE local
aaa authorization commands 0 default group ISE local
aaa authorization commands 1 default group ISE local
aaa authorization commands 15 default group ISE local

Best regards,

Rick

View solution in original post

Go to solution
gurbinder.kabbay
Level 1
Level 1
In response to rschlayer

‎09-18-2020 08:09 AM

Thanks Rick.

 

Its working now.

 

Thanks very much..

Regards,

Gurbinder

View solution in original post

3 Replies 3

Go to solution
rschlayer
Level 4
Level 4

‎09-18-2020 06:39 AM

Hello @gurbinder.kabbay ,

 

you should be able to deny the commands in the tacacs command set.

Make sure you configure the router/switch with the corresponding aaa authorization commands. I believe you must have the following configured as well:

aaa authorization config-commands

 My config looks like this (we push priv via ISE too):

aaa authorization config-commands
aaa authorization exec default group ISE local
aaa authorization commands 0 default group ISE local
aaa authorization commands 1 default group ISE local
aaa authorization commands 15 default group ISE local

Best regards,

Rick

Go to solution
gurbinder.kabbay
Level 1
Level 1
In response to rschlayer

‎09-18-2020 06:54 AM

Thanks Rschlayer for reply.

I will apply this solution, lets see if this will fix.

 

Regards,

Gurbinder

0 Helpful

Go to solution
gurbinder.kabbay
Level 1
Level 1
In response to rschlayer

‎09-18-2020 08:09 AM

Thanks Rick.

 

Its working now.

 

Thanks very much..

Regards,

Gurbinder

Customers Also Viewed These Support Documents