https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3941026#M456474 <P>Thanks.</P><P>&nbsp;</P><P>I meant to ask why the initial config for denying 'enable' after login doesn't work.</P> Tue, 15 Oct 2019 15:39:00 GMT Firepowered 2019-10-15T15:39:00Z https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940855#M456463 <P>I want a simple command set, permit some commands (eg: show, dir, ping, traceroute ) but deny en or enable, intended that the user should never go to enable mode. My command set is as follows</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deny.png" style="width: 257px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46910i36595D186A0EBE98/image-size/large?v=v2&amp;px=999" role="button" title="deny.png" alt="deny.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P><U><STRONG>TACACS Profile</STRONG></U></P><P>&nbsp;</P><P><U><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tacacs profile.png" style="width: 634px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46911iD84B06275568ABB7/image-size/large?v=v2&amp;px=999" role="button" title="tacacs profile.png" alt="tacacs profile.png" /></span></STRONG></U></P><P>PS: Doesn't matter what priv level I use here.</P><P>&nbsp;</P><P><U><STRONG>Configuration on the ASA</STRONG></U></P><P>&nbsp;</P><P><U>aaa-server TACACS protocol tacacs+<BR />aaa-server TACACS (inside) host x.x.x.x<BR />aaa authentication ssh console TACACS LOCAL<BR />aaa authentication http console TACACS LOCAL<BR />aaa authentication serial console LOCAL<BR />aaa authorization command TACACS LOCAL<BR />aaa accounting ssh console TACACS<BR />aaa authorization exec authentication-server<BR />aaa authentication login-history</U></P><P>&nbsp;</P><P>&nbsp;</P><P>I read somewhere to enable 'aaa authorization config-commands' but I don't have that on my ASA (9.8)</P><P>&nbsp;</P><P>What am I&nbsp; doing wrong?</P> Tue, 15 Oct 2019 12:47:00 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940855#M456463 Firepowered 2019-10-15T12:47:00Z https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940878#M456464 <P>In my opinion the concept of enable mode is a legacy concept that I haven't used in years with any of my customers.&nbsp; If you have command authorization enabled via TACACS it doesn't matter what mode you are in, you are authorizing and accounting for everything that is typed in.&nbsp; I have my customers send all users to the # prompt and then we authorize from there.</P> Tue, 15 Oct 2019 13:15:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940878#M456464 paul 2019-10-15T13:15:22Z https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940896#M456467 <P>Thank you, this is good.</P><P>&nbsp;</P><P>I allowed priv users to enter exec mode on login and restricted commands, this works as expected. Do you know what the min / max priv level required for user to auto move to exec upon login? (1 didn't work, I moved to 5 and it worked, but that was random)</P><P>&nbsp;</P><P>Btw, I am curious, why does the existing command set not work?</P><P>&nbsp;</P> Tue, 15 Oct 2019 13:34:30 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940896#M456467 Firepowered 2019-10-15T13:34:30Z https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940983#M456470 Just send everyone to priv 15 (min and max) and do command authorization. On the ASA you need to add.<BR /><BR /><BR /><BR />aaa authorization exec authentication-server auto-enable<BR /><BR /><BR /><BR />You had the command but didn't have the auto-enable key word at the end.<BR /><BR /><BR /><BR />That will allow users directly into the # prompt. I am not sure why your command set didn't work. Would have to do further analysis on that.<BR /><BR /><BR /> Tue, 15 Oct 2019 14:54:01 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3940983#M456470 paul 2019-10-15T14:54:01Z https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3941026#M456474 <P>Thanks.</P><P>&nbsp;</P><P>I meant to ask why the initial config for denying 'enable' after login doesn't work.</P> Tue, 15 Oct 2019 15:39:00 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-command-set-not-working/m-p/3941026#M456474 Firepowered 2019-10-15T15:39:00Z