Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6272
Views
5
Helpful
2
Replies

ISE TACACS Limit command sets

Go to solution
aous.salloum
Level 1
Level 1

‎08-16-2021 09:00 PM

Hello, 

A couple of questions regarding ISE's TACACS command sets if someone could help :

 

1 - I would like to understand how the argument is matched in the command sets, for example, if I permit - Command = show , Argument = ip route, does this mean only show ip route is allowed to run, or does it mean show commands that use either “ip” or “route” as the next word would be permitted, so show ip int br is also permitted? if so how can I limit the user to show ip route only ?

 

2- I also like some admins to be limited to shut, no shut of specific switch ports  , if I say in the command set "permit, command = interface, Argument = range macro enet_list" does this limit admins to this specific command ? or they can do interface range anything?

so the objective is to allow admin to only following commands, 

config t

interface range macro enet_list

shut

no shut 

does the below command set achieve the objective ?

Grant

Command

Argument

Permit

config

terminal

permit

interface

range macro enet_list

permit

shut

 

permit

no shut

 

permit

show

 interface [0-9]{1,3}/0

Thanks

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-16-2021 11:15 PM

Hi @aous.salloum,

1. If you configure ISE with stated (permit command 'show' with argument 'ip route'), you will allow running of 'show ip route', and all subsequent commands (e.g. 'show ip route vrf X'). No other command would be allowed. Just make sure that you ocnfigured command authorization in aaa section of your device.

2. Your definition should do the job like you want. By putting more specific argument, command must match that part too, so no other range can be selected.

BR,

Milos

View solution in original post

2 Replies 2

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-16-2021 11:15 PM

Hi @aous.salloum,

1. If you configure ISE with stated (permit command 'show' with argument 'ip route'), you will allow running of 'show ip route', and all subsequent commands (e.g. 'show ip route vrf X'). No other command would be allowed. Just make sure that you ocnfigured command authorization in aaa section of your device.

2. Your definition should do the job like you want. By putting more specific argument, command must match that part too, so no other range can be selected.

BR,

Milos

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-17-2021 10:56 PM

> ... if so how can I limit the user to show ip route only ?

ISE Device Administration Prescriptive Deployment Guide shows an example:

Grant Command Argument
DENY_ALWAYS interface GigabitEthernet 1
DENY_ALWAYS interface GigabitEthernet [0-9]{1,3}/0
PERMIT interface  

will permit the interface command but deny certain interfaces. Thus, you may have a deny entry on any argument following "show ip route".

 

 

0 Helpful
Customers Also Viewed These Support Documents