cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
296
Views
5
Helpful
3
Replies

Block access to config mode - nacm rule

suvdeshm
Cisco Employee
Cisco Employee

What is the nacm rule to block access to config mode but be able to read device config and do sync-from for all users?

When I try config mode I can get in but I cannot actually configure anything on device but what is a way to not allow to get in config mode as well?

The outcome for me:---

oper@ncs(config)# devices device ios0 config exec a

Possible completions:

  a              

  admin-mode     Set to run the action in admin mode

  auto-prompts   One-shot auto-prompts list, used to ignore/reply on questions

oper@ncs(config)# exit                             

This is the nacm rule that I have currently :------

admin@ncs# show running-config nacm

nacm write-default deny

nacm cmd-read-default permit

nacm cmd-exec-default permit

nacm rule-list oper

group [ oper ]

rule devices-config-rule

  path              /devices/device/config

  access-operations read

  action            permit

!

1 Accepted Solution

Accepted Solutions

tohagber
Cisco Employee
Cisco Employee

The cmdrule would be something like this:
admin@ncs# show running-config nacm rule-list oper
nacm rule-list oper
group [ oper ]
cmdrule config_mode1
context * ! *
command config ! *
access-operations * ! *
action deny
!
cmdrule config_mode2
context * ! *
command configure ! *
access-operations * ! *
action deny
!
....

View solution in original post

3 Replies 3

tohagber
Cisco Employee
Cisco Employee

Hi,

To block groups to get into config mode you can use cmdrule to reject the "config"/"configure" command token. cmdrule is a NSO proprietary cli authorization added to nacm see cmdrule here.

tohagber
Cisco Employee
Cisco Employee

The cmdrule would be something like this:
admin@ncs# show running-config nacm rule-list oper
nacm rule-list oper
group [ oper ]
cmdrule config_mode1
context * ! *
command config ! *
access-operations * ! *
action deny
!
cmdrule config_mode2
context * ! *
command configure ! *
access-operations * ! *
action deny
!
....

Thank you ! That worked.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community:

Recognize Your Peers