ISE 2.4 : Tacacs commands set issue to allow "show run with pipe section..." and deny "show run"

gillessapene · ‎04-02-2020

I have a request to authorize the ios command : show run | section exclude aaa | username | event

and to deny the "show run" command.

I have created a Tacacs command set with PERMIT enable, exit, traceroute and

grant : PERMIT command : show Argument : running-configuration | section exclude aaa | username | event

then

grant DENY command show Agument: running-configuration

Then I type on the router :

show run : Command authorization failed.

show run running-configuration | section exclude aaa | username | event : Command authorization failed.

Any idea ?

Do I have to use a regexp (that I dont know) instead of the multiple "pipe"?

Thanks

Gilles

gillessapene · ‎04-03-2020

It behaves like if the "pipe" is not taken by the ISE.

The tacacs log always shows : "show running-configuration" even if I type show running-configuration | sec exclude aaa

I have also tried to add a "\" before the "|" but it has no effect.

The guide (https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0100010.html) talks about the arguments, but I don't find the solution.

Any tip ?

Thanks

Gilles

gillessapene · ‎04-06-2020

To rephrase my need : here is what is want to be able to do:

PERMIT:  show running-configuration | section exclude aaa | username | event
DENY:    show running-configuration
DENY:    show configuration
PERMIT:  show anything else