08-02-2007 12:09 AM - edited 03-10-2019 03:18 PM
Background : I am running SRA4 image on my 7613 router. The router crashes when i give the command "no interface tunnelx"
Soultion Required :
I need to deny a specific command on my router from the config mode : "no interface Tunnel xyz". How can I acheive this?. The user should have privilege to execute "no interface vlan" , "no interface G1/0.1" etc.. I tried doing this but, ACS 4.0 is not looking for the sub-command, for example if i deny no interface tunnel in Shell command set, ACS looks for only two keywords, in this case no and interface....HELP REQUESTED..
Solved! Go to Solution.
08-05-2007 07:59 AM
Hi,
One thing that I would like to point, looking at the screen shot is that, the commands are case sensitive and they needs to be defined the exactly the way they are available.
But that does not mean that while executing those commands you need to type them as case sensitive. During execution of the command, you can execute then normally.
Taking as example, the doc that you provided, as you can see that you typed command,
no int tu131
and in ACS logs you got following,
service=shell cmd=no interface Tunnel 131
which means that you need to create you shell command authorization as,
no------deny interface Tunnel
rather then,
no------deny interface tunnel
"no------deny interface Tunnel" works in most of the cases, we need not specify the complete syntax. But if its not working, and you can go to more granularity.
About your question, from the attached screen shot, you have following option checked,
"Unmatched Commands : (*) Permit"
This means, where ever you apply this shell command set. *All* the commands will be *allowed*, except from those that you deny.
And it seems that you are being denied both tunnel and interface on the router, the only reason that I can think of this, the shell command authorization set that you have defined is only valid till,
no-----deny interface
"tunnel" is not correct, it should be "Tunnel"
or to be more precise,
no-----deny interface Tunnel [0-9][0-9][0-9]
considering that you can create 999 tunnels, so above wild card will cover 0-999 tunnels.
Let me know if this helps.
Regards,
Prem
08-02-2007 02:46 AM
Try running following debug on the router:
debug aaa authorization
debug tacacs
Then try to authenticate user and run the command.
It will give you exact syntax of the command which is going to AAA server.
~Rohit
08-02-2007 09:12 AM
Hi,
Another possible solution, if you do not want to turn debugs on the device is to see how exactly the commands are being sent to ACS server in accounting logs.
In order to do that, put following commands on the device,
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Then log in using the administrator, and issue all the commands that you *want* the user should be able to access, like,
"no interface vlan",
"no interface G1/0.1".
Then go to ACS > Reports and Activity > TACACS+ Administration Logs.
You'll see how exactly the commands are being send. Then make use of this information to apply the restriction.
And make use of the attached template on how to apply this restriction.
Example,
no------permit interface vlan [0-9]
Regards,
Prem
08-05-2007 12:04 AM
08-05-2007 07:59 AM
Hi,
One thing that I would like to point, looking at the screen shot is that, the commands are case sensitive and they needs to be defined the exactly the way they are available.
But that does not mean that while executing those commands you need to type them as case sensitive. During execution of the command, you can execute then normally.
Taking as example, the doc that you provided, as you can see that you typed command,
no int tu131
and in ACS logs you got following,
service=shell cmd=no interface Tunnel 131
which means that you need to create you shell command authorization as,
no------deny interface Tunnel
rather then,
no------deny interface tunnel
"no------deny interface Tunnel" works in most of the cases, we need not specify the complete syntax. But if its not working, and you can go to more granularity.
About your question, from the attached screen shot, you have following option checked,
"Unmatched Commands : (*) Permit"
This means, where ever you apply this shell command set. *All* the commands will be *allowed*, except from those that you deny.
And it seems that you are being denied both tunnel and interface on the router, the only reason that I can think of this, the shell command authorization set that you have defined is only valid till,
no-----deny interface
"tunnel" is not correct, it should be "Tunnel"
or to be more precise,
no-----deny interface Tunnel [0-9][0-9][0-9]
considering that you can create 999 tunnels, so above wild card will cover 0-999 tunnels.
Let me know if this helps.
Regards,
Prem
08-06-2007 04:59 AM
It works beutifully. Thanks a lot Prem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide