Shell Command Auth Question

Unanswered Question
michael.leblanc Mon, 07/21/2008 - 07:52
User Badges:
  • Silver, 250 points or more

I'm assuming you are using CSACS (not indicated) for defining your command sets.


e.g.:


"Deny" radio button selected (i.e.: only listed commands will be authorized).


Command List:

clear

disable

enable

show


"Clear" command argument(s) set as follows:


(a) Deselect the "Permit Unmatched Args" checkbox.


(b) Enter the following argument(s) into the list:


permit counters


... or, to be more specific:


permit counters Ethernet 0

permit counters FastEthernet 0


This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).


Notes:

(1) Command arguments are case sensitive and may differ from how they are entered at the CLI.

(2) A sniffer is helpful in determining proper case.

(3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.


dhananjoy chowdhury Mon, 07/21/2008 - 08:51
User Badges:
  • Silver, 250 points or more

Hi,

I had mentioned it for the command line.

If suppose you have local users with Privelege level 2 and 15, then


username admin2 privilege 2 password cisco

username admin15 privilege 15 password cisco


privelege exex level 2 ping

privilege exec level 2 clear counter


privelege exec level 15 telnet

privelege exec level 15 show config

privelege exec level 15 show logging

Yes, I'm using CACS, sorry for not specifying.


So if i put "clear" in as the command and then put: "permit counters FastEthernet 0" will that allow all fa0/1 - x interfaces or do I have to put them in individually? I'm really looking for a way to allow it on all fa and gi interfaces if possible but w/o putting each interface into acs.



michael.leblanc Mon, 07/21/2008 - 12:56
User Badges:
  • Silver, 250 points or more

If you are willing to permit the clearing of counters for "all" interface types (do a "clear counters ?", to see the list), use:


permit counters



If you only want to permit all FastEthernet and GigabitEthernet interfaces, use:


permit counters FastEthernet

permit counters GigabitEthernet



The inclusion of "FastEthernet 0" in my previously posted example was for a specific interface, where "FastEthernet 0" was a complete interface name (on a different platform), and was not intended to specify FastEthernet 0/1 - x.



Edit: If you want to control specific interfaces, make sure to use the appropriate white-space in your command set argument definitions.


E.g.: permit counters FastEthernet 0 1


The "FastEthernet", "0", and "1", are all separate arguments.


Actions

This Discussion