Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

TACACS Authorization - show arp

I am not a network administrator, but I do manage a number of devices which have the ability to manipulate traffic. There are times when these devices fail over, and need to update the arp cache and cam tables on our Cisco gear. Because of this touch point, I need the ability to verify the accuracy of these tables.

Our Cisco team uses TACACS to manage access to our networking equipment. I have asked for the ability to simply execute the "show arp" and "show cam" commands on a handful of devices, but have been informed that this isn't possible because "show arp" is a privileged EXEC command.

Unfortunately I am not in a position to be able to confirm or deny this, since I am not familiar with Cisco device management or TACACS. I was hoping someone in this forum could:

a) confirm that it is possible to authorize individual commands without authorizing any others

b) give me some specifics on what one needs to do within TACACS to facilitate.

All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: TACACS Authorization - show arp

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."

It is a very simple setup. All they have to

do is setup authorization like this:

user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}

With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.

Easy right?

4 REPLIES
Silver

Re: TACACS Authorization - show arp

"All I need is to run these two commands - I need nothing else. I suspect our TACACS management team simply doesn't know how to or doesn't want to set up this authorization. Your help in pushing back would be appreciated."

It is a very simple setup. All they have to

do is setup authorization like this:

user = test {

member = limited

login = des xxxxxxx

name = "Scott Prigge"

}

group = limited {

default service = deny

cmd = show {

permit "arp .*"

permit "cam .*"

deny .*

}

}

With this, your tacacs account can only

perform "show arp *" and "show cam *"

commands and nothing else.

Easy right?

Community Member

Re: TACACS Authorization - show arp

I knew it had to be easy. I sent them your info, and I'll post back what they respond with.

Thanks for the response.

Community Member

Re: TACACS Authorization - show arp

Just wanted to post a thanks. Armed with your response, I now have access to the resources I needed.

Thanks again.

Silver

Re: TACACS Authorization - show arp

You're welcome. Maybe you can recommend me

for future consulting work with your company :-)

276
Views
0
Helpful
4
Replies
CreatePlease to create content