https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3353652#M555130 <P>Hi<BR /><BR />Can you share the policy you're pushing from your tacacs server?<BR /><BR /></P> <P>Just for your information. If you want to use privilege levels it has to be configured locally the device if you're pushing level 7 from tacacs.</P> <P>Using tacacs you can push level 15 and filter commands for users using command-sets</P> <P>&nbsp;</P> Fri, 23 Mar 2018 02:38:49 GMT Francesco Molino 2018-03-23T02:38:49Z https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3353644#M555126 <P>I have configure Cisco ISE for TACACS server. I configured command set to limit some show command and shell profile to maximum the privilege to 7 for HelpDesk Admin. The command set policy is working fine but shell profile seem not working. I logged into the switch and show privilege, I'm still in privilege 15.I'm not sure where I'm wrong. Please kindly see the switch configuration as below:</P> <P>tacacs-server timeout 1<BR />tacacs-server host 10.156.141.69<BR />tacacs-server key 0 P@ssw0rd</P> <P>aaa authentication login default group tacacs+ local none<BR />aaa authentication enable default group tacacs+ local none<BR />aaa authorization config-commands<BR />aaa authorization exec ISE group tacacs+ local none<BR />aaa authorization commands 0 default group tacacs+ local none<BR />aaa authorization commands 1 default group tacacs+ local none<BR />aaa authorization commands 7 default group tacacs+ local none<BR />aaa authorization commands 15 default group tacacs+ local none<BR />aaa accounting exec default start-stop group tacacs+<BR />aaa accounting commands 0 default start-stop group tacacs+<BR />aaa accounting commands 1 default start-stop group tacacs+<BR />aaa accounting commands 7 default start-stop group tacacs+<BR />aaa accounting commands 15 default start-stop group tacacs+</P> <P><BR />line vty 0 4<BR />authorization exec ISE<BR />transport preferred ssh<BR />transport input ssh</P> <P>line vty 5 15<BR />authorization exec ISE<BR />transport preferred ssh<BR />transport input ssh</P> Fri, 21 Feb 2020 18:51:32 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3353644#M555126 PutmanoAIT 2020-02-21T18:51:32Z https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3353652#M555130 <P>Hi<BR /><BR />Can you share the policy you're pushing from your tacacs server?<BR /><BR /></P> <P>Just for your information. If you want to use privilege levels it has to be configured locally the device if you're pushing level 7 from tacacs.</P> <P>Using tacacs you can push level 15 and filter commands for users using command-sets</P> <P>&nbsp;</P> Fri, 23 Mar 2018 02:38:49 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3353652#M555130 Francesco Molino 2018-03-23T02:38:49Z https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3353658#M555145 <P>Please kindly see the configuration as attach file.</P> <P>&nbsp;</P> <P>Thank for your kindly support.</P> Fri, 23 Mar 2018 02:47:26 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3353658#M555145 PutmanoAIT 2018-03-23T02:47:26Z https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3354273#M555156 How do you connect on the switch?<BR /><BR />Your command authentication enable should be:<BR />aaa authentication enable default group tacacs+ enable<BR /><BR />On ISE, your user should have the password set on enable field.<BR />When you're logged in, you need to type enable 7 and type your password. If you try enable, by default it will be enable 15 and you shouldn't be able to log in Fri, 23 Mar 2018 23:47:15 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-policies-set/m-p/3354273#M555156 Francesco Molino 2018-03-23T23:47:15Z