Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2624
Views
0
Helpful
5
Replies

TACACs+ Restrict enable mode.

fabepach00
Level 1
Level 1

‎02-25-2016 07:58 AM - edited ‎03-10-2019 11:31 PM

Hello, we have many Cisco switches and routers working with tac_plus unix server. All is fine except we have been tasked to allow certain users into our devices for read only access. This is working however we want to restrict the user from typing enable at the prompt. 

Is this even possible? Or is the default behavior is to allow this command?

Thank you.

Labels:
0 Helpful
5 Replies 5

Javier Henderson
Level 4
Level 4

‎02-25-2016 08:04 AM

In order to restrict users from executing certain commands (such as enable), you will need to configure command authorization on the switches, then configure your TACACS+ server to deny that command.

Javier Henderson

Cisco Systems

0 Helpful

Nadav
Level 7
Level 7
In response to Javier Henderson

‎02-29-2016 10:08 AM

If I recall, enable isn't a command that can be authorized. If the user has priv-lvl 15, he can use enable (privileged exec mode). Otherwise he can't, unless specifically configured by CLI. 

If you wish to allow access to privileged exec mode then you should allow privilege level 15 for the shell profile and then limit using a command authorization set. 

 Feel free to confirm or contradict this by trial :)

0 Helpful

cciesec2011
Level 3
Level 3
In response to Nadav

‎03-02-2016 03:29 AM

here is how you do it. 

1- create an account name "ciscotest"

2- create a group name "test" and assign the following properties:

group =  regular {

         cmd = enable { deny .* }
         cmd = show { deny .* }
         cmd = show { permit .* }
         cmd = copy { permit .* }
         cmd = ping { permit .* }
         cmd = configure { deny .* }
         cmd = disable { permit .* }
         cmd = telnet { permit .* }
         cmd = disconnect { permit .* }
         cmd = where { permit .* }
         cmd = set { permit .* }
         cmd = clear { permit line }
         cmd = exit  { permit .* }
         cmd = debug  { permit .* }

3- assign user ciscotest to group test

now user ciscotest will not be able to get into "enable" mode.  When user ciscotest types "enable", they will get a command not allowed.

Easy right?

0 Helpful

Nadav
Level 7
Level 7
In response to cciesec2011

‎03-02-2016 05:18 AM

Why allow any show after denying any show? Seems redundant.

Have you tried this block in tac_plus? 

0 Helpful

cciesec2011
Level 3
Level 3
In response to Nadav

‎03-02-2016 05:43 AM

Ofcourse,

I've been using it for the past 10 years.

c3945>en
% Access denied

c3945>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents