Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
5
Replies

tacacs+ server command configuration

sfarazaz123
Level 1
Level 1

‎04-22-2016 08:21 AM - edited ‎03-10-2019 11:42 PM

Hi guys,

i am want to configure the tacacs+ server and want to add a rule that if user dont use the "add"  command in defining the new vlan on the trunk it should get denied. 

for example

switchport trunk allowed vlan add xx

He should not be able to use the simple command without add.

How can i write this rule and how i can implement this rule on the users for all network devices.

i need some simple examples to understand this.

Thanks in advance

Faraz

Labels:
0 Helpful
5 Replies 5

George Stefanick
VIP Alumni
VIP Alumni

‎04-22-2016 12:53 PM

hello!

You might want to post this on the switch / security forums.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Mark Malone
VIP Alumni
VIP Alumni

‎04-25-2016 05:40 AM

Hi

If you have a trunk with vlans specified you need to use add syntax if you don't it will wipe the other vlans from the trunk and only use the last one you specified so you will break the trunk link as they wont6 match any longer on each side

Not sure what that has to do with tacacs though as tacacs is for access ?

0 Helpful

sfarazaz123
Level 1
Level 1
In response to Mark Malone

‎04-25-2016 06:07 AM

Hi Mark,

Thanks for the reply. My question is regarding AAA authorization.

As you mention if we dont use the "add" parameter, than it will wipe out all other vlan configuration on the trunk.

I want to avoid that mistake by putting the tacacs+ authorization rule. As it happen before that we have for example 10 vlans on a trunk and we want add another one. By mistake we didnt use the "add" command and it wipe out all other vlan information on the trunk.

So the rule should be like this 

if "add" is not use in the switchport trunk allowed vlan command -> deny to add the vlan.

I hope now i explain what you can understand :)

Best Regards

Faraz

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to sfarazaz123

‎04-25-2016 07:19 AM

I have never seen that done through authorisation after being logged in , AAA is not capable of making sure a user doesn't make a mistake like that its just for access security

If you were trying to do it from prime 3.0 or above through compliance it could probably be done as you can build rule bases against access and configuration to do it but not under cli in router/switch

AAA is for access , you can put the user in a low end privilege group so he cant make changes like that again preventing this from happening but it does not have the feature of preventing mistakes as far as im aware

0 Helpful

sfarazaz123
Level 1
Level 1
In response to Mark Malone

‎04-25-2016 12:41 PM

Hi Marks

Thanks alot of the clearing the confusion. 

0 Helpful
Customers Also Viewed These Support Documents