cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2469
Views
0
Helpful
3
Replies
Highlighted
Beginner

acs 5.2 command sets permit all commands except...

I have everything working on a new 5.2 ACS but:

I can only make a command set that permits things and denies all.

I thought with the check box "                                                             Permit any command that is not in the table below" one

could allow all and specifically deny commands.

I could add for instance:

Check "                                                             Permit any command that is not in the table below"

deny conf

deny set

and that would allow the user to do all commands except for conf and set.  But it

doesn't seem to adminstratively block it, it allows them to still "conf" for instance.

Yet if I :

Uncheck "                                                             Permit any command that is not in the table below"

and say

permit show

permit exit

...

Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.

I know I am in the right command set because the changes I make are reflected immediately.

Can someone test the "Permit any command that is not in the table below' and tell me if it works?  I can

make it work with the unchecked box, sure, but it would be nice to get it to work.

Everyone's tags (5)
3 REPLIES 3
Rising star

Re: acs 5.2 command sets permit all commands except...

If it is command in config mode, you might need to enable "authorization config-commands" on your Cisco router/switch.

If I remember correctly, this command is disabled by default, so the command in config mode won't be sent to ACS for authorization.

Beginner

Re: acs 5.2 command sets permit all commands except...

The example says I should be able to put that at the end.  However when I paste it

in, it always goes to the top:

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+
aaa authorization commands 15 groups group tacacs+ none

I don't know if that is the problem, but right now it exhibits the same

behaviour, that the table should be allowing things which should be

blocked.

Is the a trick to get it to go after "aaa authorization commands" or does it matter?

Beginner

Re: acs 5.2 command sets permit all commands except...

Okay figured it out.

I was using the short name like "conf" for configure.  Except the parser obviously wants

the whole name "configure", because that is what is returned back in tacacs.

That makes sense, although a note in the docs say how the commands are matched or

if regular expressions can be used would be nice.