08-16-2021 09:00 PM
Hello,
A couple of questions regarding ISE's TACACS command sets if someone could help :
1 - I would like to understand how the argument is matched in the command sets, for example, if I permit - Command = show , Argument = ip route, does this mean only show ip route is allowed to run, or does it mean show commands that use either “ip” or “route” as the next word would be permitted, so show ip int br is also permitted? if so how can I limit the user to show ip route only ?
2- I also like some admins to be limited to shut, no shut of specific switch ports , if I say in the command set "permit, command = interface, Argument = range macro enet_list" does this limit admins to this specific command ? or they can do interface range anything?
so the objective is to allow admin to only following commands,
config t
interface range macro enet_list
shut
no shut
does the below command set achieve the objective ?
Grant | Command | Argument |
Permit | config | terminal |
permit | interface | range macro enet_list |
permit | shut |
|
permit | no shut |
|
permit | show | interface [0-9]{1,3}/0 |
Thanks
Solved! Go to Solution.
08-16-2021 11:15 PM
Hi @aous.salloum,
1. If you configure ISE with stated (permit command 'show' with argument 'ip route'), you will allow running of 'show ip route', and all subsequent commands (e.g. 'show ip route vrf X'). No other command would be allowed. Just make sure that you ocnfigured command authorization in aaa section of your device.
2. Your definition should do the job like you want. By putting more specific argument, command must match that part too, so no other range can be selected.
BR,
Milos
08-16-2021 11:15 PM
Hi @aous.salloum,
1. If you configure ISE with stated (permit command 'show' with argument 'ip route'), you will allow running of 'show ip route', and all subsequent commands (e.g. 'show ip route vrf X'). No other command would be allowed. Just make sure that you ocnfigured command authorization in aaa section of your device.
2. Your definition should do the job like you want. By putting more specific argument, command must match that part too, so no other range can be selected.
BR,
Milos
08-17-2021 10:56 PM
> ... if so how can I limit the user to show ip route only ?
ISE Device Administration Prescriptive Deployment Guide shows an example:
Grant | Command | Argument |
DENY_ALWAYS | interface | GigabitEthernet 1 |
DENY_ALWAYS | interface | GigabitEthernet [0-9]{1,3}/0 |
PERMIT | interface |
will permit the interface command but deny certain interfaces. Thus, you may have a deny entry on any argument following "show ip route".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide