Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
237
Views
2
Helpful
9
Replies

Use ISE to limit access to specific VRFs

Go to solution
JeremyEdwards
Level 1
Level 1

‎09-09-2024 08:32 AM

One of my clients would like to limit access of user to their specific VRFs. Since the VRFs span multiple devices its not possible to restrict by network access device, We're using TACACS so I tried to limit commands pertaining to other VRFs but all commands were blocked regardless of the argument given. Ex command = sh argument= ^vrf vrfname$ I used the ^$ symbols to get the start and stop of the string but it hit on every vrf. Any examples doing something would be appreciated.  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to ccieexpert

‎09-10-2024 04:10 PM

Valid point @ccieexpert 

I had to modify the command and arguments a bit, because the ISE Commands processing supports wildcards (not regex) and the Arguments support regex. Also, your regex contained white spaces that caused this not to work.  I tested on www.regex101.com until I got it right.

So, my example is a user (or member of a group) who can only work with the vrf ACME, and no other vrf.

In the Arguments, there are no white spaces.

 

ArneBier_0-1726004595007.png

The priv level 1 commands are important, because that is where a lot of show commands are authorized from - even if your user is authorized to priv 15, when they issue certain show commands, the IOS classifies them as priv 1

 

aaa group server tacacs+ dnac-network-tacacs-group
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization config-commands
!
line vty 0 4
 authorization commands 1 VTY_author
 authorization commands 15 VTY_author
 authorization exec VTY_author
 login authentication VTY_authen
 transport input ssh

 

The only problem with the ISE Arguments, is that they don't seem to understand standard regex. For example, my example will not allow the command "show vrf" (assuming you wanted to allow that for this user).  I was unable to get ISE to process the regex pattern  ^vrf$ which should have allowed this. If you know how to do this, please let me know.

In other words

allow "show vrf"

allow vrf commands containing "ACME"

deny all other commands containing "vrf"

permit all remaining commands

 

 

 

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Arne Bier
VIP
VIP

‎09-09-2024 02:05 PM

I don't understand what you mean by "users limited to their VRFs" - unless you're doing SDA where users end up in a specific VN (VRF), access-sessions are authorized on a VLAN level, not VRF. If you're talking about AAA command authorization (TACACS+) then I also don't quite understand the reasoning for this. The "vrf" keyword is interspersed in arcane little places all over various parts of the command syntax. There is no single "vrf mode" for a user.  Restricting the command syntax to only issue (for example) one specific VRF for a particular user (group) would be quite messy.

Just some examples of the 'vrf' keyword used with aaa:

aaa group server radius dnac-client-radius-group

 ip vrf forwarding MANAGEMENT

 

aaa group server tacacs+ dnac-client-tacacs-group

 ip vrf forwarding MANAGEMENT

 

aaa server radius dynamic-author

 client 1.2.3.4 vrf MANAGEMENT server-key 7 *******

 

It's never in one consistent place. Perhaps I didn't understand your use case. Can you give some examples of what you're trying to allow, versus what you're trying to disallow?

 

 

 

0 Helpful

Go to solution
JeremyEdwards
Level 1
Level 1
In response to Arne Bier

‎09-11-2024 07:07 AM

That is what the user was asking for. Basically limiting user to only running commands related to their specific vrf. Example groups A,B,C belong to VRFs A,B,C. The client wants the users to only be able to run commands related to their specific VRF. 

Go to solution
ccieexpert
Spotlight
Spotlight

‎09-10-2024 12:31 PM

what vrf do you want to allow .. i think it should be something like this . Please show your command set..

it shoud allow all other commands..

ccieexpert_0-1725996675185.png

 

Go to solution
Arne Bier
VIP
VIP
In response to ccieexpert

‎09-10-2024 04:10 PM

Valid point @ccieexpert 

I had to modify the command and arguments a bit, because the ISE Commands processing supports wildcards (not regex) and the Arguments support regex. Also, your regex contained white spaces that caused this not to work.  I tested on www.regex101.com until I got it right.

So, my example is a user (or member of a group) who can only work with the vrf ACME, and no other vrf.

In the Arguments, there are no white spaces.

 

ArneBier_0-1726004595007.png

The priv level 1 commands are important, because that is where a lot of show commands are authorized from - even if your user is authorized to priv 15, when they issue certain show commands, the IOS classifies them as priv 1

 

aaa group server tacacs+ dnac-network-tacacs-group
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization config-commands
!
line vty 0 4
 authorization commands 1 VTY_author
 authorization commands 15 VTY_author
 authorization exec VTY_author
 login authentication VTY_authen
 transport input ssh

 

The only problem with the ISE Arguments, is that they don't seem to understand standard regex. For example, my example will not allow the command "show vrf" (assuming you wanted to allow that for this user).  I was unable to get ISE to process the regex pattern  ^vrf$ which should have allowed this. If you know how to do this, please let me know.

In other words

allow "show vrf"

allow vrf commands containing "ACME"

deny all other commands containing "vrf"

permit all remaining commands

 

 

 

 

0 Helpful

Go to solution
JeremyEdwards
Level 1
Level 1
In response to Arne Bier

‎09-11-2024 07:11 AM

Thanks I'll try this. Documentation suggested using REGEX when building command sets. 

0 Helpful

Go to solution
JeremyEdwards
Level 1
Level 1
In response to Arne Bier

‎09-11-2024 07:32 AM

Do you have a period at the end of the VRF name before the *?

0 Helpful

Go to solution
JeremyEdwards
Level 1
Level 1
In response to ccieexpert

‎09-11-2024 07:10 AM

I'll try this.

0 Helpful

Go to solution
ccieexpert
Spotlight
Spotlight

‎09-10-2024 12:52 PM

also you can use specific command like "show" if you want..

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-11-2024 07:35 AM

How ISE know this user from this VRF abd this user from other VRF' from there you need to start.

After that add command with vrf-aware.

MHM

0 Helpful
Customers Also Viewed These Support Documents