11-07-2017 08:20 AM - edited 02-21-2020 10:38 AM
Hello,
I have created the below tacacs command set in ISE.
When testing I am able to issue the commands conf t and exit but I can not run any show commands. I was intending to deny "show version" and then permit any other show commands but for some reason all "show" commands are being denied.
I moved the permit s*w .* above the deny show v* and all worked fine. I was under the impression that the way I have set this up in the screenshot then after issuing a "show run" it would skip past the deny show v* and be permitted by the permit s*w .*
Can anyone see if I am making an obvious error?
Thanks
Nick
Solved! Go to Solution.
11-13-2017 04:25 PM
This discussion was continued over at the Cisco Communities Forum for ISE, and I wrote some updates there
https://communities.cisco.com/message/273751#273751
Bottom line is, that the documentation is quite clear about the behaviour, but it is buried deep in the 1200 page manual. I show some examples of how it works in the Communities post.
11-07-2017 10:12 AM
I have now patched this to patch level six in the hope that it is possibly a bug. Still the same results.
11-07-2017 03:57 PM
Hi Nick
Very good question. I hadn't noticed this before. And I am keen to get a Cisco response on this. I am still on ISE 2.2 patch 2 and upgrading to ISE 2.3 patch 1 tomorrow. My experience with the TACACS functionality has been not so good - I have had issues were the PAN no longer sent the TACACS programming to the PSN nodes. I configured the he&*% out of the Policy Sets and none of it landed on the PSNs! Only after restarted the PAN, my PSN's got programmed again.
I tried the stuff below and no matter which way around I put the sh commands, I cannot execute the logic you want. I.e when I have it as shown below, then
show run fails
show ver fails
When I have it as follows
then
show run passes
show ver passes
How bizarre.
11-07-2017 11:45 PM
11-11-2017 06:57 PM - edited 11-11-2017 07:04 PM
Hey Nick/Arne,
Looks like ISE is not able to match "version" using the regexp v* or ve* but it works with ver*. Same with run* instead of r* or ru*.
I am not sure if this has already been documented as a defect (I will double check). In the meantime, if you edit your argument for ver* everything should work.
Best regards,
dacabrer
11-13-2017 04:25 PM
This discussion was continued over at the Cisco Communities Forum for ISE, and I wrote some updates there
https://communities.cisco.com/message/273751#273751
Bottom line is, that the documentation is quite clear about the behaviour, but it is buried deep in the 1200 page manual. I show some examples of how it works in the Communities post.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: