topic 13029 Requested privilege level too high in Network Access Control

13029 Requested privilege level too high

JaVa808 — Thu, 11 Jun 2020 13:19:33 GMT

I'm running ISE 2.7 and testing a read-only account to scan a network device (2960 switch) to do vulnerability scans.

Ext Id Source is Active Directory and following TACACS setup below:

TACACS Command Set

Permit All w/Permit any command that is not listed below
Read Only with PERMIT SHOW defined. Box is unchecked “Permit any command that is not listed below”

TACACS Profile

Privilege 0 = default 0 and max is 0
Privilege 1 = default is 0 and max is 1
Privilege 7 = default is 0 and max is 7
Privilege 15 = default is 15 and max is 15

Device Admin Policy Set

Authentication

Default - AD (external Identity source)

Authorization

Device RW = Network-ReadWrite + Permit all & Shell Privilege 15
Device RO = Network-ReadOnly + Read Only & Shell Privilege 0
Default – DENY ALL

And when I drill down to the detailed information in TACACS Log it stops with 13209 Requested privilege level too high.

Not sure what the next steps are if I need to change Shell Privilege on Authorization? or is this directed at something else.

Re: 13029 Requested privilege level too high

Anurag Sharma — Thu, 11 Jun 2020 16:04:29 GMT

Hi @JaVa808

Privilege means nothing when you have Command Authorization. Remove Privilege 0, and give Priv 15.

You can verify that the user will not be able to run anything except the show command (that you allowed).

I personally do not recommend various privileges when all control is delivered through Command Authorization. The 'show' command is actually really tricky such that 'show clock' is priv 1 but 'show run' is priv 15. So, it's not a good approach.

Try it out. If you have another use-case, we can discuss here.

Re: 13029 Requested privilege level too high

JaVa808 — Mon, 15 Jun 2020 16:24:50 GMT

Thanks Anurag for your reply.

So in the policy - change it to Priv 15

then TACACS Command Set define the commands that the scanner needs to do a deep dive on?

Also I did stumble upon this read, https://www.ipbalance.com/security/why-tenable-nessus-requires-full-level-15-access-for-cisco-devices-dont-need-it/.

I wonder if at this point i define all those or just give it Priv 15. probably the second for less work.

Re: 13029 Requested privilege level too high

Anurag Sharma — Mon, 15 Jun 2020 17:27:47 GMT

@JaVa808

It's (assigning priv 15 and restrictive command-set) not a "hack" (workaround). It's a legit method of doing things while maintaining access control.

In the article you linked, they mentioned the following:

If you have Cisco ACS (TACACS+) server, it would be easy to control permitted commands with the dedicated user account for the Nessus scanner.

If you don’t have Cisco ACS server, try the following way to achieve the goal.

The method was simply assigning custom privileges to certain commands like 'show run'. There are many reasons why this method should not be adopted in the presence of a TACACS server. But the best one was the one that made you open the case 🙂