https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/m-p/3577204#M519733 <HTML><HEAD></HEAD><BODY><P>Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.</P><P></P><P>Network devices might allow changing the privilege levels of commands. For example, <A href="https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1001038">Setting the Privilege Level for a Command in Cisco IOS</A></P></BODY></HTML> Sat, 18 Nov 2017 16:28:01 GMT hslai 2017-11-18T16:28:01Z https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/m-p/3577202#M519727 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I deploy an ISE for tacacs server and command authorization is used to control which command sets are allowed to execute for different privilege level.</P><P>Users in "FMC-admin" AD group will assigned to privilege 15 by shell profiles and permit to execute all commands by command sets result. Once one command is executed by admin users, a tacacs log was poped up and show which command is entered.</P><P><SPAN style="font-size: 13.3333px;">Users in "HR" AD group will assigned to privilege 6 by shell profiles and only allow to execute "show access-list" by command sets result. But HR user could execute any privilege level 6 commands and I can't see any logs like what happened for admin user when I enter commands .</SPAN></P><P><SPAN style="font-size: 13.3333px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333px;">It is a little confused me that does command sets authorization is only available for privilege 15?</SPAN></P><P></P><P>AAA configuration:</P><P>aaa authentication login default group ise local</P><P>aaa authentication enable default group ise</P><P>aaa authorization config-commands</P><P>aaa authorization exec default group ise</P><P>aaa authorization commands 5 default group ise</P><P>aaa authorization commands 6 default group ise</P><P>aaa authorization commands 15 default group ise</P><P></P><P><IMG __jive_id="113436" alt="AAA.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/113436_AAA.png" style="font-size: 13.3333px;" /></P></BODY></HTML> Fri, 17 Nov 2017 09:21:22 GMT https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/m-p/3577202#M519727 xili5 2017-11-17T09:21:22Z https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/m-p/3577203#M519730 <HTML><HEAD></HEAD><BODY><P>If the command authorization request comes into ISE and matched the correct command sets, then ISE should send Access-Reject or fail the request. If that is not the case, we need to check why ISE not authorizing it correctly.</P><P>Otherwise, this might be how your target NAD platform implementing its T+ enforcement or a bug on that platform.</P></BODY></HTML> Fri, 17 Nov 2017 17:23:50 GMT https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/m-p/3577203#M519730 hslai 2017-11-17T17:23:50Z https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/m-p/3577204#M519733 <HTML><HEAD></HEAD><BODY><P>Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.</P><P></P><P>Network devices might allow changing the privilege levels of commands. For example, <A href="https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1001038">Setting the Privilege Level for a Command in Cisco IOS</A></P></BODY></HTML> Sat, 18 Nov 2017 16:28:01 GMT https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/m-p/3577204#M519733 hslai 2017-11-18T16:28:01Z