> I don't receive Command Authorization commands (confirmed with logs / pcap) for commands prefaced with 'no', but do for other configuration level commands.
Sry I'm late to the party - Have you opened a tac case? Extreme will try to disagree, but *that is no small security vulnerability*. Have you (and this shouldn't work) tried authorization on the other levels (4 and 5) to see if they help? Your only other option is to try brocade-privlvl = 4 which doesn't give many configuration rights: #conf t (config)#? cls Clear screen end End Configuration level and go to Privileged level exit Exit current level global-port-security Global-level Port Security configuration interface Port commands mac-authentication Configure MAC authentication no Undo/disable commands quit Exit to User level show Display system information <cr> Or maybe try radius as you have hinted to and which I have never had a need to do. If it were Cisco, you could define a new privilege level - not sure about Brocade. On Fri, Mar 15, 2019 at 2:00 PM Patrick Ohearn via foundry-nsp < foundry-nsp@puck.nether.net> wrote: > Hi List, > > Has anyone got AAA command authorization working correctly on modern > Netiron code, on the MLX/CER's? > > With a working TACACS+ server, with the below aaa configuration, I don't > receive Command Authorization commands (confirmed with logs / pcap) for > commands prefaced with 'no', but do for other configuration level commands. > > This presents a problem when I can block commands like 'router mpls', but > other commands such as 'no router mpls' still work. > > Testing is done with a logged in user with priv level 0 (super user). > Testing has been done with a few varents of 5.8, 6.0 and 6.2 code all with > the same results. > > Has anyone else ran into this issue? Or has working command authorization > with a different (eg; radius) setup? > > AAA config: > tacacs-server host 192.0.2.200 > tacacs-server key tacacskeyhere > aaa authentication enable default tacacs+ > aaa authentication login default tacacs+ > aaa authentication login privilege-mode > aaa authorization commands 0 default tacacs+ > aaa authorization exec default tacacs+ > aaa accounting commands 0 default start-stop tacacs+ > aaa accounting exec default start-stop tacacs+ > aaa accounting system default start-stop tacacs+ > > > -- > Email: p...@ge3k.net > _______________________________________________ > foundry-nsp mailing list > foundry-nsp@puck.nether.net > http://puck.nether.net/mailman/listinfo/foundry-nsp > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.
_______________________________________________ foundry-nsp mailing list foundry-nsp@puck.nether.net http://puck.nether.net/mailman/listinfo/foundry-nsp