Security

 View Only

  • 1.  Tacacs for allowing specific commands

    Posted Jul 01, 2020 04:30 AM

    Hi Team,

     

    I have done tacacs integration with aruba controller.

    And  I have added the profile config as attached.

     

    I want to deny any aaa commands but its still working.

    Also I am not seeing the authorization data like the commands executed by the user.

     

    How i have to achieve this.

     

     

    Regards,

    Mallikarjun



  • 2.  RE: Tacacs for allowing specific commands

    Posted Jul 01, 2020 06:45 AM

    Have you seen the post here?  https://community.arubanetworks.com/t5/Security/How-To-for-Cisco-Command-Authorization/td-p/413854



  • 3.  RE: Tacacs for allowing specific commands

    Posted Jul 01, 2020 08:33 AM
      |   view attached

    Yes

    I have gone through that .

    And enforcement profile in services if i remove the Aruba common service it will start throwing error like.

    Requested priv_level=[0f] greater than Max Allowed priv_level=[00]
     
    And in access tracker it shows accept but the ssh denies the access.
    and the alert in the access tracker is "
    Tacacs service=Aruba:common not enabled"
     
    Regards,
    Mallikarjun
     
     


  • 4.  RE: Tacacs for allowing specific commands

    Posted Aug 06, 2023 02:36 AM
      |   view attached

    Hi,

    For Read-Only access, you can put privilege 15 as Super Admin (this is OK), but just restrict based on specific commands,

    e.g. attached.

    That will deny 'show run all' but will allow all other show commands incl. 'show run' only

    S1#show run all
    Command authorization failed.

    S1#show run
    Building configuration...

    Current configuration : 13365 bytes

    =============

    tested in lab:


    S1#show version
    Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20190423)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to  V152_6_0_81_E
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2019 by Cisco Systems, Inc.
    Compiled Tue 23-Apr-19 02:38 by mmen

    ROM: Bootstrap program is Linux

    S1 uptime is 3 hours, 23 minutes
    System returned to ROM by reload at 0
    System image file is "unix:/opt/unetlab/tmp/2/1/i86bi_Linux-L2-Adventerprisek9-ms.SSA.high_"
    Last reload reason: Unknown reason

    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    export@cisco.com.

    Linux Unix (Intel-x86) processor with 921491K bytes of memory.
    Processor board ID 67110913
    16 Ethernet interfaces
    1 Virtual Ethernet interface
    1024K bytes of NVRAM.

    Configuration register is 0x0

    ClearPass 6.10.5


    Original Message


Related Content