Saturday, April 23, 2016

Tacacs ACS 5 authentication and cmd-set reports

One of the coolest feature in the cisco ACS reports, you can determine what  cmd-set allows or dis-allowed a certain command.

By running the report AAA protocol > Authorization you can use the  output to see what command-set(s) allowed  the cmd.

Take myself activating the fex locator-id


Now if I deny that command in my cmd-set "DCENGLVL3_cmd" watch the new output;


and the authorization report;



Keep in mind  with policies with  multiple command-sets allowed, that you  need to be aware of what's being allowed and deny in each command-set. In rule id #3 we have allowed 3 command-sets with  "DCENGLVL3" being a "ANY-ALL commands". So this command deny locator-led fex was only enabled in the DCENGLVL3 command-set since it trumped all of the lower numbered  cmd-sets.

Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment