do_auth icon indicating copy to clipboard operation
do_auth copied to clipboard
verified publisher icon jathanism

Deny commands in cisco (config) mode

Open Alexandru1982 opened this issue 9 years ago • 1 comments

Hi, Is it possible to deny commands after entering conf mode on cisco? Does do_auth.ini allow this? So far i can use "command_deny" only for "conf term" and not for commands available in config mode.

Ex : How do i deny, let's say, #conf t, #(config) interface.* ?

Alexandru1982 avatar Apr 15 '16 10:04 Alexandru1982

Hey, there and sorry about the ridiculously long reply. If this is even still relevant to you:

  • Yes, by setting priv-lvl=15 this forces auto-enable/superuser on Cisco IOS* devices.
  • For command_deny patterns, you need them to be regular expressions that match the command "root" and any arguments e.g. "interface .*".

Do you want to actually disallow entering config mode? If so you could use a lower privilege level like 1.

See: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html

jathanism avatar Jun 15 '18 15:06 jathanism