Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
6
Replies

Shell Command Auth Question

simon.bell
Level 1
Level 1

‎07-21-2008 05:23 AM - edited ‎03-10-2019 03:59 PM

I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:

"permit counters interface *"?

TIA

Labels:
0 Helpful
6 Replies 6

dhananjoy chowdhury
Level 5
Level 5

‎07-21-2008 05:45 AM

try this...

privilege exec level 2 clear counters

0 Helpful

simon.bell
Level 1
Level 1
In response to dhananjoy chowdhury

‎07-21-2008 06:05 AM

I'm not sure i understand what ya mean with this suggestion. We allow the user in to priv 15 but limit all commands typed. For example they might need to show the running config for an interface or something like that. Thus when they login they have priv 15 but don't have config term rights.

0 Helpful

michael.leblanc
Level 4
Level 4

‎07-21-2008 07:52 AM

I'm assuming you are using CSACS (not indicated) for defining your command sets.

e.g.:

"Deny" radio button selected (i.e.: only listed commands will be authorized).

Command List:

clear

disable

enable

show

"Clear" command argument(s) set as follows:

(a) Deselect the "Permit Unmatched Args" checkbox.

(b) Enter the following argument(s) into the list:

permit counters

... or, to be more specific:

permit counters Ethernet 0

permit counters FastEthernet 0

This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).

Notes:

(1) Command arguments are case sensitive and may differ from how they are entered at the CLI.

(2) A sniffer is helpful in determining proper case.

(3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to michael.leblanc

‎07-21-2008 08:51 AM

Hi,

I had mentioned it for the command line.

If suppose you have local users with Privelege level 2 and 15, then

username admin2 privilege 2 password cisco

username admin15 privilege 15 password cisco

privelege exex level 2 ping

privilege exec level 2 clear counter

privelege exec level 15 telnet

privelege exec level 15 show config

privelege exec level 15 show logging

0 Helpful

simon.bell
Level 1
Level 1
In response to michael.leblanc

‎07-21-2008 10:29 AM

Yes, I'm using CACS, sorry for not specifying.

So if i put "clear" in as the command and then put: "permit counters FastEthernet 0" will that allow all fa0/1 - x interfaces or do I have to put them in individually? I'm really looking for a way to allow it on all fa and gi interfaces if possible but w/o putting each interface into acs.

0 Helpful

michael.leblanc
Level 4
Level 4
In response to simon.bell

‎07-21-2008 12:56 PM

If you are willing to permit the clearing of counters for "all" interface types (do a "clear counters ?", to see the list), use:

permit counters

If you only want to permit all FastEthernet and GigabitEthernet interfaces, use:

permit counters FastEthernet

permit counters GigabitEthernet

The inclusion of "FastEthernet 0" in my previously posted example was for a specific interface, where "FastEthernet 0" was a complete interface name (on a different platform), and was not intended to specify FastEthernet 0/1 - x.

Edit: If you want to control specific interfaces, make sure to use the appropriate white-space in your command set argument definitions.

E.g.: permit counters FastEthernet 0 1

The "FastEthernet", "0", and "1", are all separate arguments.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents