topic Re: Device Admin with RO and RW Command Sets in Network Access Control

Device Admin with RO and RW Command Sets

fatalXerror — Thu, 26 Aug 2021 15:22:18 GMT

Hi Guys,

I am creating a policy for device admin purposes. I would like to check if it is mandatory to create a shell profile and associate it to the policy or command sets alone will do? I just want to have a read-write, read-only, and custom command sets in my device admin policy.

Thanks

Re: Device Admin with RO and RW Command Sets

Greg Gibbs — Thu, 26 Aug 2021 22:53:36 GMT

This depends entirely on the device you're trying to manage, but most devices require a TACACS Profile of some sort to specify the basic privileges of the admin logging in.

See the Cisco ISE Device Administration Prescriptive Deployment Guide for more info and examples.

Re: Device Admin with RO and RW Command Sets

Arne Bier — Fri, 27 Aug 2021 00:31:22 GMT

@fatalXerror - command sets apply for Authorization (aaa authorization ....) whereas the shell profile sets the priv level. You can set a priv level to level 15, and then restrict commands. Likewise, set level to 7 and restrict commands. But you have to tell the IOS which level the EXEC is authorized to after authentication.

I always wondered what Read-Only means in the context of IOS. On the AireOS WLC there was a category called MONITOR - it means you can see everything but you can't add/edit/delete. So for IOS I assume you would say, allow level 15 and then deny the commands like "conf*" and "relo*"

Remember that commands use wildcards (* and ?) whereas arguments use regular expression syntax (e.g. ^[1234]. etc.)