[tac_plus] Re: Restricting Cisco 'interface' command

Schmidt, Daniel dan.schmidt at uplinkdata.com
Tue Oct 20 17:13:10 UTC 2009


Well, you modified the regular expression I gave you; what interfaces
are you trying to forbid?

-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com] 
Sent: Tuesday, October 20, 2009 11:04 AM
To: Schmidt, Daniel
Cc: john heasley; tac_plus at shrubbery.net
Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command

aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable none
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa authorization network default group tacacs+ local none
aaa accounting delay-start
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip tacacs source-interface Loopback0
tacacs-server host <host>
no tacacs-server directed-request
tacacs-server key 7 <key>




 

             "Schmidt, Daniel"

             <dan.schmidt at upli

             nkdata.com>
To 
                                       <dterry at dollartree.com>

             10/20/2009 01:01
cc 
             PM                        "john heasley"

                                       <heas at shrubbery.net>,

                                       <tac_plus at shrubbery.net>

 
Subject 
                                       RE: [tac_plus] Re: Restricting

                                       Cisco 'interface' command

 

 

 

 

 

 





post:
sh run | inc tacacs|aaa

-----Original Message-----
From: dterry at dollartree.com [mailto:dterry at dollartree.com]
Sent: Tuesday, October 20, 2009 10:54 AM
To: Schmidt, Daniel
Cc: john heasley; tac_plus at shrubbery.net
Subject: RE: [tac_plus] Re: Restricting Cisco 'interface' command

I have everything setup correctly on the Cisco side.

I have tried your suggestion below and was unable to prevent a user from
configuring interfaces other than Gi and Fa ports. Debugging tacacs
authorization produced no helpful information.

Further suggestions would be appreciative.





             "Schmidt, Daniel"

             <dan.schmidt at upli

             nkdata.com>
To
                                       "john heasley"

             10/20/2009 12:26          <heas at shrubbery.net>,

             PM                        <dterry at dollartree.com>


cc
                                       <tac_plus at shrubbery.net>


Subject
                                       RE: [tac_plus] Re: Restricting

                                       Cisco 'interface' command

















default service = deny
cmd = interface { permit [faFAgiGI].* }

If you're looking for a simpler configuration, look at my authentication
script on tacacs.org.  However, the above should work for your purposes.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
Sent: Tuesday, October 20, 2009 10:10 AM
To: dterry at dollartree.com
Cc: tac_plus at shrubbery.net
Subject: [tac_plus] Re: Restricting Cisco 'interface' command

Tue, Oct 20, 2009 at 10:35:11AM -0400, dterry at dollartree.com:
>
> Hello,
>
>       I am trying to restrict the usage of the 'interface' command
within
> Cisco gear. I would like the users to have access to issue "interface
Gi.*"
> or "interface Fa.*". I do not want them to have the ability to issue
> "interface Te.*". The configuration that I have in place now for this
is:
>
>         cmd = interface {
>                 permit ".*Gi.*"
>                 permit ".*Fa.*"
>                 deny    .*
>         }
>
> Should this work? If not, where's my error?

make sure authorization is configured on the device, else enable tacacs
authorization debugging to find-out why its not matching.
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus








More information about the tac_plus mailing list