11-08-2017 07:14 PM - edited 03-04-2019 02:39 AM
Can anyone assist me with a script, or at least tell me if its possible. I need a script that will trigger only for a specific username and only when entering Config T.
This script is a workaround for a bug in my ios that makes creating a "read only" user pretty much impossible in my environment (no tacacs/radius, upgrading/downgrading ios is a very long process).
Ultimately I need the script to auto "exit" whenever the specific user enter global configuration mode.
Any help would be greatly appreciated.
Solved! Go to Solution.
11-16-2017 07:42 AM
Update:
I found a solution. This is the Applet that I am using.
event manager applet READONLY
event cli pattern "configure terminal" sync yes
action 1.0 cli command "enable"
action 1.1 cli command "show users | i BADUSER"
action 1.2 string length "$_cli_result"
action 1.3 if "$_string_result" le 100 ##The blank line results in about 80 length
action 1.4 exit 1
action 1.5 else
action 1.6 exit 0
action 1.7 end
The only problem this applet causes is if your "Baduser" is going to be logged in a large amount of time, it can lock you out of global configuration mode. To solve this, you could just do a "disconnect" command to kick them out if need be.
For my situation the "baduser" is a service that will be logged in for no more than about 20 seconds at a time and only about once a week.
11-08-2017 07:37 PM
What you want is not possible. While you can check for a user entering config t, you cannot force them to auto-exit.
What version of IOS are you running?
11-09-2017 08:18 AM
11-09-2017 11:33 AM
I found a way to create an EEM Applet that will just skip the conf t command when it is entered.
Now that I have this I only need to know how to set this applet to only be triggered for a specific user. If anyone has any details please share. I will continue my research.
11-09-2017 03:46 PM
Right, you can block the "config t" altogether, but the reason I asked you the version of code is that not all versions support the ability to get the username that executed the command. What version of code are you running?
11-09-2017 04:25 PM
11-09-2017 05:04 PM
Unfortunately, you need EEM 4.0 in order to get the enhanced CLI ED with the _cli_username variable. With that variable you can check against the username you want to check:
if $_cli_username eq "baduser"
exit 0
else
exit 1
end
11-09-2017 05:10 PM
11-09-2017 06:25 PM
This looks okay (though the parentheses may not be you want). But I would worry that this approach could deny any user config t access if baduser is logged in at the same time.
11-16-2017 07:42 AM
Update:
I found a solution. This is the Applet that I am using.
event manager applet READONLY
event cli pattern "configure terminal" sync yes
action 1.0 cli command "enable"
action 1.1 cli command "show users | i BADUSER"
action 1.2 string length "$_cli_result"
action 1.3 if "$_string_result" le 100 ##The blank line results in about 80 length
action 1.4 exit 1
action 1.5 else
action 1.6 exit 0
action 1.7 end
The only problem this applet causes is if your "Baduser" is going to be logged in a large amount of time, it can lock you out of global configuration mode. To solve this, you could just do a "disconnect" command to kick them out if need be.
For my situation the "baduser" is a service that will be logged in for no more than about 20 seconds at a time and only about once a week.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide