TACACS Authorization - show arp

Answered Question

I am not a network administrator, but I do manage a number of devices which have the ability to manipulate traffic. There are times when these devices fail over, and need to update the arp cache and cam tables on our Cisco gear. Because of this touch point, I need the ability to verify the accuracy of these tables.


Our Cisco team uses TACACS to manage access to our networking equipment. I have asked for the ability to simply execute the "show arp" and "show cam" commands on a handful of devices, but have been informed that this isn't possible because "show arp" is a privileged EXEC command.


Unfortunately I am not in a position to be able to confirm or deny this, since I am not familiar with Cisco device management or TACACS. I was hoping someone in this forum could:


a) confirm that it is possible to authorize individual commands without authorizing any others


b) give me some specifics on what one needs to do within TACACS to facilitate.


All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated.


Thanks.

Correct Answer by cisco24x7 about 8 years 8 months ago

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."


It is a very simple setup. All they have to

do is setup authorization like this:


user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}


With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.


Easy right?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cisco24x7 Tue, 07/29/2008 - 18:11
User Badges:
  • Silver, 250 points or more

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."


It is a very simple setup. All they have to

do is setup authorization like this:


user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}


With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.


Easy right?

cisco24x7 Wed, 10/08/2008 - 06:47
User Badges:
  • Silver, 250 points or more

You're welcome. Maybe you can recommend me

for future consulting work with your company :-)

Actions

This Discussion