Good day,

I hope someone can assist.

I have denied the command: "route-policy" with arguments "default_policy_pass_all" on our Cisco ACS.

When someone tries to create/edit this policy they enter "route-policy default_policy_pass_all"

They then type "end-policy" and they receive "Command authorization failed" as expected and the command is not allowed.

However, when they create/edit this policy and enter, "route-policy default_policy_pass_all" and hit CTRL + C on the keyboard, they are able to commit thus editing the policy and breaking services.

It seems like this is an XR software issue because the ASR never asks the ACS for authorization for entering the command "route-policy default_policy_pass_all"

Has anyone seen this before or have a better way of blocking commands?

RP/0/RSP1/CPU0:router1#conf t
Fri Sep 22 12:48:28.403 SAST
RP/0/RSP1/CPU0:router1(config)#route-policy default_policy_pass_all
Fri Sep 22 12:48:29.919 SAST
% WARNING: Policy object route-policy default_policy_pass_all' exists! Reconfiguring it via CLI will replace current definition. Use 'abort to cancel.
RP/0/RSP1/CPU0:router1(config-rpl)#end-policy
Command authorization failed
% Incomplete command.
RP/0/RSP1/CPU0:router1(config-rpl)#
RP/0/RSP1/CPU0:router1#conf t
Fri Sep 22 12:48:36.252 SAST
RP/0/RSP1/CPU0:router1(config)#route-policy default_policy_pass_all
Fri Sep 22 12:48:37.877 SAST
% WARNING: Policy object route-policy default_policy_pass_all' exists! Reconfiguring it via CLI will replace current definition. Use 'abort to cancel.
RP/0/RSP1/CPU0:router1(config-rpl)#
RP/0/RSP1/CPU0:router1(config)#sh configuration
Fri Sep 22 12:48:42.677 SAST
Building configuration...
!! IOS XR Configuration 5.3.3
!
route-policy default_policy_pass_all
end-policy
!
end

RP/0/RSP1/CPU0:router1(config)#

Kind Regards,

Hendrik