EEM Lightweight AAA Server Sample

Jason Pfeifer · ‎06-18-2012

Sample applet to deny certain users from running commands, and also store each command users have entered into a file.

This applet uses a denylist file to compare against who is running each command. If the user and command is listed in the denylist file, the user

will not be able to run the command. This applet also creates a cmdhistory file that logs all commands. This applet currently registers against files in disk2: Please modify disk location when using. EEM 4.0 is required to run this applet.

Sample denylist file:

cisco show users

cisco configure terminal

Applet:

event manager applet testcli

event cli pattern .* sync yes

action 101 file open in disk2:denylist r

action 102 file open out disk2:cmdhistory a

action 103 file read in _jpres

action 104 set tester "$_cli_username"

action 105 append tester " $_cli_msg"

action 106 foreach value "$_jpres" "\n"

action 107 if $tester eq $value

action 108 puts "$_cli_username is not authorized to run $_cli_msg"

action 109 file puts out "REJECT: $_cli_username: $_cli_msg"

action 110 exit 0

action 111 end

action 112 end

action 113 file puts out "ACCEPT: $_cli_username: $_cli_msg"

action 114 exit 1

Here is a demo showing how this applet works.

ldulik · ‎11-23-2015

Is it possible to show example of denylist file?

Joe Clarke · ‎11-23-2015

It's just a list of usernames followed by a space, followed by a command they are not allowed to run. For example:

user1 configure terminal

user1 tclsh

ldulik · ‎03-29-2016

Thank you very much, Joe.