Solved: Denying sub-commands

dinesh.thathanath · ‎08-02-2007

Background : I am running SRA4 image on my 7613 router. The router crashes when i give the command "no interface tunnelx"

Soultion Required :

I need to deny a specific command on my router from the config mode : "no interface Tunnel xyz". How can I acheive this?. The user should have privilege to execute "no interface vlan" , "no interface G1/0.1" etc.. I tried doing this but, ACS 4.0 is not looking for the sub-command, for example if i deny no interface tunnel in Shell command set, ACS looks for only two keywords, in this case no and interface....HELP REQUESTED..

Premdeep Banga · ‎08-05-2007

Hi,

One thing that I would like to point, looking at the screen shot is that, the commands are case sensitive and they needs to be defined the exactly the way they are available.

But that does not mean that while executing those commands you need to type them as case sensitive. During execution of the command, you can execute then normally.

Taking as example, the doc that you provided, as you can see that you typed command,

no int tu131

and in ACS logs you got following,

service=shell cmd=no interface Tunnel 131

which means that you need to create you shell command authorization as,

no------deny interface Tunnel

rather then,

no------deny interface tunnel

"no------deny interface Tunnel" works in most of the cases, we need not specify the complete syntax. But if its not working, and you can go to more granularity.

About your question, from the attached screen shot, you have following option checked,

"Unmatched Commands : (*) Permit"

This means, where ever you apply this shell command set. *All* the commands will be *allowed*, except from those that you deny.

And it seems that you are being denied both tunnel and interface on the router, the only reason that I can think of this, the shell command authorization set that you have defined is only valid till,

no-----deny interface

"tunnel" is not correct, it should be "Tunnel"

or to be more precise,

no-----deny interface Tunnel [0-9][0-9][0-9]

considering that you can create 999 tunnels, so above wild card will cover 0-999 tunnels.

Let me know if this helps.

Regards,

Prem

View solution in original post

rochopra · ‎08-02-2007

Try running following debug on the router:

debug aaa authorization

debug tacacs

Then try to authenticate user and run the command.

It will give you exact syntax of the command which is going to AAA server.

~Rohit

Premdeep Banga · ‎08-02-2007

Hi,

Another possible solution, if you do not want to turn debugs on the device is to see how exactly the commands are being sent to ACS server in accounting logs.

In order to do that, put following commands on the device,

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Then log in using the administrator, and issue all the commands that you *want* the user should be able to access, like,

"no interface vlan",

"no interface G1/0.1".

Then go to ACS > Reports and Activity > TACACS+ Administration Logs.

You'll see how exactly the commands are being send. Then make use of this information to apply the restriction.

And make use of the attached template on how to apply this restriction.

Example,

no------permit interface vlan [0-9]

Regards,

Prem

dinesh.thathanath · ‎08-05-2007

Thanks Prem

Query : Will ACS take wild card characters like "permit interface vlan [0-4094]" etc.

My objective is to block only one command " no interface tunnel". Can you tell me what should be mu exact permit and deny statements. I am attaching a doc for reference.

Premdeep Banga · ‎08-05-2007

Hi,

One thing that I would like to point, looking at the screen shot is that, the commands are case sensitive and they needs to be defined the exactly the way they are available.

But that does not mean that while executing those commands you need to type them as case sensitive. During execution of the command, you can execute then normally.

Taking as example, the doc that you provided, as you can see that you typed command,

no int tu131

and in ACS logs you got following,

service=shell cmd=no interface Tunnel 131

which means that you need to create you shell command authorization as,

no------deny interface Tunnel

rather then,

no------deny interface tunnel

"no------deny interface Tunnel" works in most of the cases, we need not specify the complete syntax. But if its not working, and you can go to more granularity.

About your question, from the attached screen shot, you have following option checked,

"Unmatched Commands : (*) Permit"

This means, where ever you apply this shell command set. *All* the commands will be *allowed*, except from those that you deny.

And it seems that you are being denied both tunnel and interface on the router, the only reason that I can think of this, the shell command authorization set that you have defined is only valid till,

no-----deny interface

"tunnel" is not correct, it should be "Tunnel"

or to be more precise,

no-----deny interface Tunnel [0-9][0-9][0-9]

considering that you can create 999 tunnels, so above wild card will cover 0-999 tunnels.

Let me know if this helps.

Regards,

Prem

dinesh.thathanath · ‎08-06-2007

It works beutifully. Thanks a lot Prem.