cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
708
Views
0
Helpful
4
Replies

TACACS Authorization - show arp

priggescott
Level 1
Level 1

I am not a network administrator, but I do manage a number of devices which have the ability to manipulate traffic. There are times when these devices fail over, and need to update the arp cache and cam tables on our Cisco gear. Because of this touch point, I need the ability to verify the accuracy of these tables.

Our Cisco team uses TACACS to manage access to our networking equipment. I have asked for the ability to simply execute the "show arp" and "show cam" commands on a handful of devices, but have been informed that this isn't possible because "show arp" is a privileged EXEC command.

Unfortunately I am not in a position to be able to confirm or deny this, since I am not familiar with Cisco device management or TACACS. I was hoping someone in this forum could:

a) confirm that it is possible to authorize individual commands without authorizing any others

b) give me some specifics on what one needs to do within TACACS to facilitate.

All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated.

Thanks.

1 Accepted Solution

Accepted Solutions

cisco24x7
Level 6
Level 6

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."

It is a very simple setup. All they have to

do is setup authorization like this:

user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}

With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.

Easy right?

View solution in original post

4 Replies 4

cisco24x7
Level 6
Level 6

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."

It is a very simple setup. All they have to

do is setup authorization like this:

user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}

With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.

Easy right?

I knew it had to be easy. I sent them your info, and I'll post back what they respond with.

Thanks for the response.

Just wanted to post a thanks. Armed with your response, I now have access to the resources I needed.

Thanks again.

You're welcome. Maybe you can recommend me

for future consulting work with your company :-)