Solved: Tacas+ limit specific commands under one command layer

yongwli · ‎12-11-2018

Hi Experts,

Our customer would like to use ISE (TACACS) to control the CLI command authorization.

However, they are using HUAWEI data center switch, and they want to limit “shutdown” command under ospf process, but allow this command under interface configuration, for example:

Interface 10GE1/1/1

shutdown ## Legal command

ospf 1

shutdown ## Illegal command, disallowed.

Can ISE satisfy this requirement?

paul · ‎12-12-2018

While a command is a command so you can't tell where the shutdown is being issued you can definitely control access to the modes. Simply don't allow the user into OSPF or more to the point only allow them into "interface gig*".

Also just for clarification you don't need to put "*" in the arguments. If you don't put anything in there it assumes all arguments.

View solution in original post

Surendra · ‎12-11-2018

A command is a command for ISE. There is no provision in TACACS+ Protocol to mention the mode under which this is being executed. Network device sends the command and the arguments and ISE will simply do a regex match.

yongwli · ‎12-11-2018

thank you

paul · ‎12-12-2018

While a command is a command so you can't tell where the shutdown is being issued you can definitely control access to the modes. Simply don't allow the user into OSPF or more to the point only allow them into "interface gig*".

Also just for clarification you don't need to put "*" in the arguments. If you don't put anything in there it assumes all arguments.

Eric R. Jones · ‎12-12-2018

Hello, I read your post and I'm dealing with something similar with ISE and ACS TACACS+ Command Sets. I need to restrict Tier1 and Tier2 Admins from specific interfaces. Prior to now I use deny int* g*1/1/1, deny int* g*1/1/2 etc.. being specific to each interface; however, that no longer works. I created a few regex e.g. g?*^([1-4]\/[1-4]\/[1-4])& and it works in regex101.com however it's unrecognized in ACS or ISE command sets. All Cisco documentation points to this being a properly formatted regex.

1. Is there a difference between how ISE handles regex in Command Sets?

2. Is there a definitive document on regex for Cisco devices?

ej

Surendra · ‎12-12-2018

This Regex is not valid g?*^([1-4]\/[1-4]\/[1-4]).

? is not quantifiable.

Eric R. Jones · ‎12-12-2018

Should "?" be replace with "." to denote a single character?

So the regex reads starting with g any other valid character and in the second position and any number of characters after that?

I was reading the using g* would only look for a continuous repeat of the letter g.

ej

Surendra · ‎12-12-2018

g.* is the right way to do it.

Eric R. Jones · ‎01-28-2019

Found what I was looking for.

It doesn't work under ACS Command sets but it works under ISE so that's good enough for me.

ej

Eric R. Jones · ‎03-15-2019

Very late update here but I did find the solution I was looking for to put in the command set on ISE.

deny interface gigabitethernet [1-4]/1/[1-4]

permit interface gigabitethernet [1-4]/0/[1-4]

I danced around this config with all manner of regex format

ej