Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2740
Views
0
Helpful
9
Replies

TCL Script to trigger when command is entered

Go to solution
dmramirez1
Level 1
Level 1

‎11-08-2017 07:14 PM - edited ‎03-04-2019 02:39 AM

Can anyone assist me with a script, or at least tell me if its possible. I need a script that will trigger only for a specific username and only when entering Config T.

 

This script is a workaround for a bug in my ios that makes creating a "read only" user pretty much impossible in my environment (no tacacs/radius, upgrading/downgrading ios is a very long process).

 

Ultimately I need the script to auto "exit" whenever the specific user enter global configuration mode.

 

Any help would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmramirez1
Level 1
Level 1

‎11-16-2017 07:42 AM

Update:

 

I found a solution. This is the Applet that I am using.

 

event manager applet READONLY

 event cli pattern "configure terminal" sync yes

 action 1.0 cli command "enable"

 action 1.1 cli command "show users | i BADUSER"

 action 1.2 string length "$_cli_result"

 action 1.3 if "$_string_result" le 100   ##The blank line results in about 80 length

 action 1.4   exit 1

 action 1.5 else

 action 1.6   exit 0

 action 1.7 end

 

The only problem this applet causes is if your "Baduser" is going to be logged in a large amount of time, it can lock you out of global configuration mode. To solve this, you could just do a "disconnect" command to kick them out if need be.

 

For my situation the "baduser" is a service that will be logged in for no more than about 20 seconds at a time and only about once a week.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎11-08-2017 07:37 PM

What you want is not possible.  While you can check for a user entering config t, you cannot force them to auto-exit.

What version of IOS are you running?

0 Helpful

Go to solution
dmramirez1
Level 1
Level 1
In response to Joe Clarke

‎11-09-2017 08:18 AM

I just want a script that runs the global configuration command "exit" as soon as "conf t" is entered. This is not possible?


0 Helpful

Go to solution
dmramirez1
Level 1
Level 1
In response to Joe Clarke

‎11-09-2017 11:33 AM

I found a way to create an EEM Applet that will just skip the conf t command when it is entered.

 

Now that I have this I only need to know how to set this applet to only be triggered for a specific user. If anyone has any details please share. I will continue my research.

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to dmramirez1

‎11-09-2017 03:46 PM

Right, you can block the "config t" altogether, but the reason I asked you the version of code is that not all versions support the ability to get the username that executed the command.  What version of code are you running?

0 Helpful

Go to solution
dmramirez1
Level 1
Level 1
In response to Joe Clarke

‎11-09-2017 04:25 PM

15.1(4)M4



Eem ver 3.2


0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to dmramirez1

‎11-09-2017 05:04 PM

Unfortunately, you need EEM 4.0 in order to get the enhanced CLI ED with the _cli_username variable.  With that variable you can check against the username you want to check:

if $_cli_username eq "baduser"

 exit 0

else

 exit 1

end

0 Helpful

Go to solution
dmramirez1
Level 1
Level 1
In response to Joe Clarke

‎11-09-2017 05:10 PM

Oh wow thanks. That's unfortunate.



Right now I am trying to create a script that will view the "Show users" output and use a For loop to see if the username is found and then run the script off of that.



This is my first time though so It's not liking a lot of my scripts. This is what I have so far.





Action 1.0 cli command "do show users"

Action 1.1 for each _user "$_cli_results"

Action 1.2 regexp ".*(baduser).*" "$_user"

Action 1.3 if $_regexp_result eq 1

Action 1.4 exit 0

Action 1.5 else

Action 1.6 exit 1




0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to dmramirez1

‎11-09-2017 06:25 PM

This looks okay (though the parentheses may not be you want).  But I would worry that this approach could deny any user config t access if baduser is logged in at the same time.

0 Helpful

Go to solution
dmramirez1
Level 1
Level 1

‎11-16-2017 07:42 AM

Update:

 

I found a solution. This is the Applet that I am using.

 

event manager applet READONLY

 event cli pattern "configure terminal" sync yes

 action 1.0 cli command "enable"

 action 1.1 cli command "show users | i BADUSER"

 action 1.2 string length "$_cli_result"

 action 1.3 if "$_string_result" le 100   ##The blank line results in about 80 length

 action 1.4   exit 1

 action 1.5 else

 action 1.6   exit 0

 action 1.7 end

 

The only problem this applet causes is if your "Baduser" is going to be logged in a large amount of time, it can lock you out of global configuration mode. To solve this, you could just do a "disconnect" command to kick them out if need be.

 

For my situation the "baduser" is a service that will be logged in for no more than about 20 seconds at a time and only about once a week.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card