Solved: ISE Command Set Not Working as Expected

magates · ‎06-01-2018

I have a command set for some technicians that we grant fewer commands to, and am trying to limit specific commands, but it is not working as expected for some of them. Note that I am testing this with a user in the correct identity group that is given the correct command set and shell profile.

Example: We do not want them making changes to port-channels, so I have Deny | int* | po.* and it is the first rule in the command set. An account assigned to that profile is still able to issue the command:
switch (config) # int port-channel 1
I have also tried Deny | int* | port-channel * with the same result.

Example 2: We do not want them assigning a port-security maximum of more than 2, so I have
Allow | sw* | po.* m.* [1-3] as a rule, and directly under it Deny | sw* | po.* m.*
I have also tried Deny | sw* | po.* m.* and Deny | sw* | port-security maximum *
as the very first rule in the command set, and the account can still issue the command:
switch (config-if) # switchport port-security maximum 8
in any of those 3 scenarios.

hslai · ‎06-01-2018

Below working for me.

To Deny commands such as int port-channel 1
- Grant: DENY_ALWAYS
- Command: interface
- Arguments: Port-channel
- Use DENY_ALWAYS to disregard the ordering of the command sets.
To Permit commands switchport port-secuity maximum 1 to 3
- Grant: PERMIT
- Command: switchport
- Arguments: port-security maximum [1-3]
To Deny commands switchport port-security maximum > 4
- Grant: DENY_ALWAYS
- Command: switchport
- Arguments: port-security maximum ([4-9]|[0-9]{2,4})
- This denies a single numeric 4~9 or 2~4 numeric digits; use DENY_ALWAYS to disregard the ordering of the command sets; if using DENY instead of DENY_ALWAYS, then this line needs to be after the permit one and the arguments can be simply "port-security maximum"

View solution in original post