Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
4
Replies

TACACS Authorization - show arp

Go to solution
priggescott
Level 1
Level 1

‎07-29-2008 01:33 PM - edited ‎03-10-2019 04:00 PM

I am not a network administrator, but I do manage a number of devices which have the ability to manipulate traffic. There are times when these devices fail over, and need to update the arp cache and cam tables on our Cisco gear. Because of this touch point, I need the ability to verify the accuracy of these tables.

Our Cisco team uses TACACS to manage access to our networking equipment. I have asked for the ability to simply execute the "show arp" and "show cam" commands on a handful of devices, but have been informed that this isn't possible because "show arp" is a privileged EXEC command.

Unfortunately I am not in a position to be able to confirm or deny this, since I am not familiar with Cisco device management or TACACS. I was hoping someone in this forum could:

a) confirm that it is possible to authorize individual commands without authorizing any others

b) give me some specifics on what one needs to do within TACACS to facilitate.

All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cisco24x7
Level 6
Level 6

‎07-29-2008 06:11 PM

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."

It is a very simple setup. All they have to

do is setup authorization like this:

user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}

With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.

Easy right?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
cisco24x7
Level 6
Level 6

‎07-29-2008 06:11 PM

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."

It is a very simple setup. All they have to

do is setup authorization like this:

user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}

With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.

Easy right?

0 Helpful

Go to solution
priggescott
Level 1
Level 1
In response to cisco24x7

‎07-30-2008 05:34 AM

I knew it had to be easy. I sent them your info, and I'll post back what they respond with.

Thanks for the response.

0 Helpful

Go to solution
priggescott
Level 1
Level 1
In response to cisco24x7

‎10-08-2008 05:52 AM

Just wanted to post a thanks. Armed with your response, I now have access to the resources I needed.

Thanks again.

0 Helpful

Go to solution
cisco24x7
Level 6
Level 6
In response to priggescott

‎10-08-2008 06:47 AM

You're welcome. Maybe you can recommend me

for future consulting work with your company :-)

0 Helpful
Customers Also Viewed These Support Documents