By default, if a device is configured for AAA command authorization, EEM will use it. However, EEM does not send a username to the AAA server by default. This will result in "Command authorization failed" errors when your EEM policies execute CLI commands. For EEM to play nicely with AAA command authorization, configure the following.
Router(config)#event manager session cli username USER
Where USER is a username authorized to run all CLI commands in
all of your EEM policies.
Even though it is possible to configure EEM to work with AAA command authorization, it may be desirable to allow your EEM policies to bypass authorization. This is especially true if it takes a bit of time to authorize each command. In that case, the EEM maxrun timer may be reached causing policies to terminate. If you will only have one EEM policy running at a time (that executes CLI commands), configure the following AAA commands to dedicate line vty 0 for EEM.
aaa authentication login EEMScript none
aaa authentication login default group tacacs+ local
aaa authorization exec EEMScript none
!
aaa authorization command 0 EEMScript none
aaa authorization commands 1 EEMScript none
aaa authorization commands 15 EEMScript none
!
line vty 0
login authentication EEMScript
authorization exec EEMScript
authorization commands 0 EEMScript
authorization commands 1 EEMScript
authorization commands 15 EEMScript
transport input none
length 0
!
Because "transport input none" is configured on this line, it will not be accessible for telnet or SSH sessions. However, EEM policies will be able to use this VTY to execute CLI commands without going through AAA command authorization.
Beginning with EEM 3.1, AAA command authorization can be bypassed on a per-policy basis. The following are examples for registering applet, Tcl, and IOS.sh policies that bypass AAA command authorization.
Applet:
event manager applet myapplet authorization bypass
Tcl:
event manager policy mypol.tcl authorization bypass type user
IOS.sh:
event manager policy mypol.sh authorization bypass type user
Ref:Cisco EEM Best Practices
No comments:
Post a Comment