Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
3
Replies

ACS query for command authorization

Go to solution
a_ccie
Cisco Employee
Cisco Employee

‎07-09-2018 01:06 AM - edited ‎08-23-2018 10:45 PM

Hello Experts

 

My customer wants to have user profile with command restrictions as mentioned in below table. Network device is Cisco Nexus 7000.

 

Basically customer wants to restrict some users to only certain configuration tasks. However we are not sure if in ACS we can configure restrictions for sub-config mode level. Example in interface configuration mode, user can only shut or no shut the interface. Similarly for BGP configuration mode as shown below. They are using ACS v5.6 as TACACS server.

 

Please suggest as to how this can be achieved.

 

       
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎07-09-2018 10:04 AM

HI Amit,

Suggest starting to look at ACS configuration guide for shell and command authorization first

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

There are a few things you have to do in TACACS+

Authentication, Shell authorization, command authorization and accounting.

Here are specifics on shell and command authorization since they use wild card operators(command sets). You need to understand the syntax and how to do it

https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/pol_elem.h…

Here is a snippet of configuration in Nexus 7k

https://supportforums.cisco.com/t5/network-management/nexus-n7k-aaa-7-tacacs-configurations-are-not-working/td-p/3001125

When you are configuring commands sets, it uses the format command and argument, so you have to stack the commands for the script to run sequentially, remember these commands are sent from Nexus to ACS for authorization.

eg: So you can do command config t

then you can do interface gi1/0

then you can do the sub-interface commands.

Please test out the command sets. You have to use wild cards correctly. Try it out and see.

Finally there is a TACACS+ guide for ISE for Nexus. You can use this to understand the rules for creating shell profiles and commands sets since they are the same. Take a look at it.

ISE Device Administration (TACACS+)

Thanks

Krishnan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎07-09-2018 10:04 AM

HI Amit,

Suggest starting to look at ACS configuration guide for shell and command authorization first

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

There are a few things you have to do in TACACS+

Authentication, Shell authorization, command authorization and accounting.

Here are specifics on shell and command authorization since they use wild card operators(command sets). You need to understand the syntax and how to do it

https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/pol_elem.h…

Here is a snippet of configuration in Nexus 7k

https://supportforums.cisco.com/t5/network-management/nexus-n7k-aaa-7-tacacs-configurations-are-not-working/td-p/3001125

When you are configuring commands sets, it uses the format command and argument, so you have to stack the commands for the script to run sequentially, remember these commands are sent from Nexus to ACS for authorization.

eg: So you can do command config t

then you can do interface gi1/0

then you can do the sub-interface commands.

Please test out the command sets. You have to use wild cards correctly. Try it out and see.

Finally there is a TACACS+ guide for ISE for Nexus. You can use this to understand the rules for creating shell profiles and commands sets since they are the same. Take a look at it.

ISE Device Administration (TACACS+)

Thanks

Krishnan

0 Helpful

Go to solution
a_ccie
Cisco Employee
Cisco Employee
In response to kthiruve

‎07-09-2018 09:52 PM

Thank you Krishnan for your response and all the information.

I had a quick read though relevant pointers you provided..

Let me reiterate customer requirements for Security Ops user,

  1. User can ping, traceroute,telnet.
  2. Additionally they should be able to shut / unshut ethernet interface.
  3. Shut / unshut BGP neighbor

From your earlier reply, it appears your suggesting to add below commands set will acheive the point 2 and 3 mentioned above.

   

actionCommandArgument
permitinterface ethernet *
permit shutdown
permit no shutdown
permit router bgp *
permit neighbor *
permitshutdown
permitno shutdown

Additionally to achieve above requirement, I am thinking I need to use system defined privilege role ( priv-0). Or do I need to manually define role on the N7k switch.

Looking for your valuable inputs.

Also unfortunately, customer does not have test setup. Will it be possible for someone in BU to test?

Regards

Amit

0 Helpful

Go to solution
a_ccie
Cisco Employee
Cisco Employee
In response to kthiruve

‎07-10-2018 09:53 PM

Hi Krishnan,

Could you please confirm if my below understanding is correct.

1. Privilege level does not come into play with using command sets ( per command authorization).

2. NXOS command hierarchy does not matter. Per command will be authorized so as long as command sequence in command sets is appropriate, it will work.

Customer use profile requirement:

       

Operations L2Priviledge level - 0ping * ping6 * traceroute *                                 show  * telnet telnet6 ssh ssh6 configuration t    permit terminal width terminal length clear bgp * soft router bgp *
neighbor *
shut/no shut
interface *
shut/ no shut

To achieve this we can use the command sets as below. Please let me know if you agree.

    

actionCommandArgument
permitping*
permitping6*
permittraceroute*
permitshow *
permittelnet*
permittelnet6*
permitssh
permit ssh6
permitconfiguration terminal
permitinterface ethernet *
permit shutdown
permit no shutdown
permit router bgp *
permit neighbor *
permitshutdown
permitno shutdown

Cheers.

0 Helpful
Customers Also Viewed These Support Documents