Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
1
Helpful
3
Replies

ISE 2.2 command authorization based on submode

Go to solution
Chun-Taek Park
Cisco Employee
Cisco Employee

‎02-27-2018 11:12 PM

Hi Expert

I am testing ISE 2.2 Device admin(TACACS+) with Nexus platform.

I want to apply command authorization based on sub command mode per account(identity).

below is example I want to do.

Goal Summary

  • only restrict 'shutdown' command on interface config mode, not BGP config mode per account(identity).
  • basically, If I define deny 'shutdown' command on command set, this command sets applied all command mode like interface, BGP etc. but I want to restrict this command only on interface sub command mode.

Example

  • restrict 'shutdown' command on interface config mode
  • permit 'shutdown' command on BGP config mode

NX-OS(config)# interface ethernet 1/1

NX-OS(config-if)# shutdown                         ==> restrict

NX-OS(config-if)# exit

NX-OS(config)# router bgp 65001

NX-OS(config-router)# shutdown                  ==> permit

NX-OS(config-router)# neighbor 1.1.1.1

NX-OS(config-router-neighbor)# shutdown   ==> permit

OR

  • restrict 'shutdown' command on interface config mode, BGP process config mode
  • permit 'shutdown' command on BGP neighbor config mode

NX-OS(config)# interface ethernet 1/1

NX-OS(config-if)# shutdown                         ==> restrict

NX-OS(config-if)# exit

NX-OS(config)# router bgp 65001

NX-OS(config-router)# shutdown                  ==> restrict

NX-OS(config-router)# neighbor 1.1.1.1

NX-OS(config-router-neighbor)# shutdown   ==> permit

Do you have any idea to do this ?

Regards,

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-01-2018 08:03 PM

I concurred with Danny's.

With T+ command authorization, the command sends to ISE will be "shutdown" without the context. If it applicable, you could simply restrict on command "interface".

NX-OS can also authorize users based on their user roles. In How To: ISE TACACS+ Configuration for Cisco NX-OS Network Devices, I gave one example.

role name demo-security
description A user-defined role example for demo purposes
rule 10 permit read-write feature interface
interface policy deny
  permit interface Vethernet1

As I am no expert on NX-OS, I would suggest you to consult Nexus or NX-OS support teams for further guidance.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎02-27-2018 11:20 PM

I *think* its only possible to accomplish by stating the exact port in your restrict commands.

Iet me check on this and update.

Go to solution
Chun-Taek Park
Cisco Employee
Cisco Employee
In response to ldanny

‎03-01-2018 05:01 PM

Hi ldanny

Thanks and do you have any update?

Regards,

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-01-2018 08:03 PM

I concurred with Danny's.

With T+ command authorization, the command sends to ISE will be "shutdown" without the context. If it applicable, you could simply restrict on command "interface".

NX-OS can also authorize users based on their user roles. In How To: ISE TACACS+ Configuration for Cisco NX-OS Network Devices, I gave one example.

role name demo-security
description A user-defined role example for demo purposes
rule 10 permit read-write feature interface
interface policy deny
  permit interface Vethernet1

As I am no expert on NX-OS, I would suggest you to consult Nexus or NX-OS support teams for further guidance.

0 Helpful
Customers Also Viewed These Support Documents