cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1231
Views
5
Helpful
17
Replies

Use ISE to limit access to specific VRFs

Nerd_Herd
Level 1
Level 1

One of my clients would like to limit access of user to their specific VRFs. Since the VRFs span multiple devices its not possible to restrict by network access device, We're using TACACS so I tried to limit commands pertaining to other VRFs but all commands were blocked regardless of the argument given. Ex command = sh argument= ^vrf vrfname$ I used the ^$ symbols to get the start and stop of the string but it hit on every vrf. Any examples doing something would be appreciated.  

1 Accepted Solution

Accepted Solutions

Valid point @ccieexpert 

I had to modify the command and arguments a bit, because the ISE Commands processing supports wildcards (not regex) and the Arguments support regex. Also, your regex contained white spaces that caused this not to work.  I tested on www.regex101.com until I got it right.

So, my example is a user (or member of a group) who can only work with the vrf ACME, and no other vrf.

In the Arguments, there are no white spaces.

 

ArneBier_0-1726004595007.png

The priv level 1 commands are important, because that is where a lot of show commands are authorized from - even if your user is authorized to priv 15, when they issue certain show commands, the IOS classifies them as priv 1

 

aaa group server tacacs+ dnac-network-tacacs-group
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization config-commands
!
line vty 0 4
 authorization commands 1 VTY_author
 authorization commands 15 VTY_author
 authorization exec VTY_author
 login authentication VTY_authen
 transport input ssh

 

The only problem with the ISE Arguments, is that they don't seem to understand standard regex. For example, my example will not allow the command "show vrf" (assuming you wanted to allow that for this user).  I was unable to get ISE to process the regex pattern  ^vrf$ which should have allowed this. If you know how to do this, please let me know.

In other words

allow "show vrf"

allow vrf commands containing "ACME"

deny all other commands containing "vrf"

permit all remaining commands

 

 

 

 

View solution in original post

17 Replies 17

Arne Bier
VIP
VIP

I don't understand what you mean by "users limited to their VRFs" - unless you're doing SDA where users end up in a specific VN (VRF), access-sessions are authorized on a VLAN level, not VRF. If you're talking about AAA command authorization (TACACS+) then I also don't quite understand the reasoning for this. The "vrf" keyword is interspersed in arcane little places all over various parts of the command syntax. There is no single "vrf mode" for a user.  Restricting the command syntax to only issue (for example) one specific VRF for a particular user (group) would be quite messy.

Just some examples of the 'vrf' keyword used with aaa:

aaa group server radius dnac-client-radius-group

 ip vrf forwarding MANAGEMENT

 

aaa group server tacacs+ dnac-client-tacacs-group

 ip vrf forwarding MANAGEMENT

 

aaa server radius dynamic-author

 client 1.2.3.4 vrf MANAGEMENT server-key 7 *******

 

It's never in one consistent place. Perhaps I didn't understand your use case. Can you give some examples of what you're trying to allow, versus what you're trying to disallow?

 

 

 

That is what the user was asking for. Basically limiting user to only running commands related to their specific vrf. Example groups A,B,C belong to VRFs A,B,C. The client wants the users to only be able to run commands related to their specific VRF. 

ccieexpert
Spotlight
Spotlight

what vrf do you want to allow .. i think it should be something like this . Please show your command set..

it shoud allow all other commands..

ccieexpert_0-1725996675185.png

 

Valid point @ccieexpert 

I had to modify the command and arguments a bit, because the ISE Commands processing supports wildcards (not regex) and the Arguments support regex. Also, your regex contained white spaces that caused this not to work.  I tested on www.regex101.com until I got it right.

So, my example is a user (or member of a group) who can only work with the vrf ACME, and no other vrf.

In the Arguments, there are no white spaces.

 

ArneBier_0-1726004595007.png

The priv level 1 commands are important, because that is where a lot of show commands are authorized from - even if your user is authorized to priv 15, when they issue certain show commands, the IOS classifies them as priv 1

 

aaa group server tacacs+ dnac-network-tacacs-group
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization config-commands
!
line vty 0 4
 authorization commands 1 VTY_author
 authorization commands 15 VTY_author
 authorization exec VTY_author
 login authentication VTY_authen
 transport input ssh

 

The only problem with the ISE Arguments, is that they don't seem to understand standard regex. For example, my example will not allow the command "show vrf" (assuming you wanted to allow that for this user).  I was unable to get ISE to process the regex pattern  ^vrf$ which should have allowed this. If you know how to do this, please let me know.

In other words

allow "show vrf"

allow vrf commands containing "ACME"

deny all other commands containing "vrf"

permit all remaining commands

 

 

 

 

Thanks I'll try this. Documentation suggested using REGEX when building command sets. 

Do you have a period at the end of the VRF name before the *?

The "." (period) in regex means "match zero or more occurrences" - a common usage is dot-star, which matches anything before and up to that point.  Have a play on regex101.com website - it's a great regular expression teacher

 

.*vrf ACME.*
.*vrf.*

I'll try this.

ccieexpert
Spotlight
Spotlight

also you can use specific command like "show" if you want..

How ISE know this user from this VRF abd this user from other VRF' from there you need to start.

After that add command with vrf-aware.

MHM

You would return the appropriate command restrictions to the user during TACACS+ authorization.  Depending on how many tenants they need, you'd create an ISE Identity Group (or use an AD Group) and then use that in the TACACS+ Authorization Policy Set.

How Tacacs (ISE) know this user from this vrf-a or vrf-b

As I know there is no vrf attribute send between SW/R and AAA server.

That my concern here. 

Thanks

MHM

I don't know exactly how @Nerd_Herd plans to do this, but I assume that he has users/tenants in different AD groups, and then when those users authenticate via TACACS, ISE can return the appropriate command set.   The assumption is that whatever command set is returned for those "groups" of users, is correct. Basically, if bob from GroupA logs into a switch, then he gets profile for GroupA - all users in that group are restricted to only accessing their appropriate Vrf. 

Correct. I plan on having various security groups tied to specific VRFs. They will have command sets that limit them to vrf commands that only apply to their specific vrf. They can still do standard commands but not interact with another vrf.