topic Re: Cisco ISE TACACS Query in Network Access Control

Cisco ISE TACACS Query

sondevi — Wed, 13 Mar 2019 16:38:24 GMT

Hi Team,

I have query regarding ISE TACACS device admin configuration:

1. what is the difference between "Default Priv" and "Max priv" levels in shell profile.

2. for a CU deployment, just to make the easy deployment, can we restrict only on basis of command sets for different users access group and configure the single shell profile with static 15/15 value for "Default Priv" and "Max priv" levels.

I am more in favour of security/restriction over ease ability if defining the different shell profiles can make difference.

Re: Cisco ISE TACACS Query

paul — Wed, 13 Mar 2019 17:27:54 GMT

Yes just sent both to 15 and do command authorization to grant the users what access they need. I believe the default priv. level is the initial priv level the user is put in. If the user chooses to elevate (with the enable command as an example) the max priv value is checked to see if that is allowed. I don't use the concept of priv level any more and everyone gets 15 from the start.

Re: Cisco ISE TACACS Query

sondevi — Thu, 14 Mar 2019 06:47:07 GMT

Thanks Paul for quick reply. same thought.