Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1653
Views
0
Helpful
1
Replies

ISE Command Set Not Working as Expected

Go to solution
magates
Level 1
Level 1

‎06-01-2018 01:58 PM

I have a command set for some technicians that we grant fewer commands to, and am trying to limit specific commands, but it is not working as expected for some of them. Note that I am testing this with a user in the correct identity group that is given the correct command set and shell profile.

Example: We do not want them making changes to port-channels, so I have Deny | int* | po.* and it is the first rule in the command set. An account assigned to that profile is still able to issue the command:
     switch (config) # int port-channel 1
I have also tried Deny | int* | port-channel * with the same result.

Example 2: We do not want them assigning a port-security maximum of more than 2, so I have
     Allow | sw* | po.* m.* [1-3] as a rule, and directly under it Deny | sw* | po.* m.*
I have also tried Deny | sw* | po.* m.* and Deny | sw* | port-security maximum *
as the very first rule in the command set, and the account can still issue the command:
     switch (config-if) # switchport port-security maximum 8
in any of those 3 scenarios.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-01-2018 06:50 PM

Below working for me.

  1. To Deny commands such as int port-channel 1
    • Grant: DENY_ALWAYS
    • Command: interface
    • Arguments: Port-channel
    • Use DENY_ALWAYS to disregard the ordering of the command sets.
  2. To Permit commands switchport port-secuity maximum 1 to 3
    • Grant: PERMIT
    • Command: switchport
    • Arguments: port-security maximum [1-3]
  3. To Deny commands switchport port-security maximum > 4
    • Grant: DENY_ALWAYS
    • Command: switchport
    • Arguments: port-security maximum ([4-9]|[0-9]{2,4})
    • This denies a single numeric 4~9 or 2~4 numeric digits; use DENY_ALWAYS to disregard the ordering of the command sets; if using DENY instead of DENY_ALWAYS, then this line needs to be after the permit one and the arguments can be simply "port-security maximum"

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-01-2018 06:50 PM

Below working for me.

  1. To Deny commands such as int port-channel 1
    • Grant: DENY_ALWAYS
    • Command: interface
    • Arguments: Port-channel
    • Use DENY_ALWAYS to disregard the ordering of the command sets.
  2. To Permit commands switchport port-secuity maximum 1 to 3
    • Grant: PERMIT
    • Command: switchport
    • Arguments: port-security maximum [1-3]
  3. To Deny commands switchport port-security maximum > 4
    • Grant: DENY_ALWAYS
    • Command: switchport
    • Arguments: port-security maximum ([4-9]|[0-9]{2,4})
    • This denies a single numeric 4~9 or 2~4 numeric digits; use DENY_ALWAYS to disregard the ordering of the command sets; if using DENY instead of DENY_ALWAYS, then this line needs to be after the permit one and the arguments can be simply "port-security maximum"
0 Helpful
Customers Also Viewed These Support Documents