Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS Command Sets on IOS-XR

Hi Guys,

 

I'm using ACS since Window NT days :)

But i've bumped into issue I can't find solution for.

Major part of my network is IOS-XR devices (ASR9Ks), and everything is AAAed.

The flexibility of IOS-XR backfire at me when I try to limit my users, For example:

I want to:

  1. Allow entering interface
  2. Allow adding "ipv4 address x.x.x.x"

So i've added:

  1. permit interface
  2. permit ipv4

I've checked the logs and I can see that some users add ipv6 address this way: "interface xxxxxx ipv6 address a:a:a:"

While the IOS-XR allow this, I want to block this.

So again, I've a change 1 to --> permit interface [a-zA-Z0-9]+$

But then, The users said that they can't add new l2transport interfaces :( "interface xxxx l2transport".

 

Its just an example, but I find my users override my policy pretty easily this way.

Anyone familiar with ways to do correct Authorization on IOS-XR ?

Everyone's tags (1)
65
Views
0
Helpful
0
Replies
CreatePlease to create content