topic Re: ISE CLI Read-Only user in Network Access Control

ISE CLI Read-Only user

s.rashid — Sun, 23 Jan 2022 11:37:05 GMT

Hi,

We are integrating a solution for integrity check, which will SSH to the devices and run the "show running-config" or any command that displays the configuration. The ISE CLI user "read-only" does not have the privilege to run the "show running-config" command and we do not want to give the user full admin privilege. is it possible to give a CLI user privilege to run a specific command?

regards,

sohail

Re: ISE CLI Read-Only user

balaji.bandi — Sun, 23 Jan 2022 11:47:37 GMT

Look like with priv 1 or read-only users can not use the commands you looking to add.

instead you can uplift to priv 15 limit the user to certain commands and add show run config to it.

Example :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

Re: ISE CLI Read-Only user

s.rashid — Sun, 23 Jan 2022 12:12:19 GMT

Hello Balaji,

It's not about device administration or TACACS. I am referring to ISE node itself. we need a user to access ISE via SSH and run "show running-config" only. The CLI user "user" does not have the privilege to run this command and we do not want to give this user "admin" privilege.

regards,

sohail

Re: ISE CLI Read-Only user

Marcelo Morais — Sun, 23 Jan 2022 13:47:25 GMT

Hi @s.rashid ,

at ISE CLI you are able to:

ise/admin# configure terminal
ise/admin# username <username> password plain <password> role user

This user will be able to:

ise/username> ?
Exec commands:
crypto Crypto operations
exit Exit from the EXEC
license License operations
nslookup DNS lookup for an IP address or hostname
password Update password
ping Ping a remote ip address
ping6 Ping a remote ipv6 address
show Show running system information
terminal Set terminal line parameters
traceroute Trace the route to a remote ip address

and

ise/username> show ?
cdp CDP show commands
clock Show clock information
cpu Display CPU information
crypto Display crypto information
disks Display disk and filesystem information
icmp_status Display icmp echo response configuration information
interface Display interface info
inventory Display hardware inventory information
logins List login history
memory Display memory information
ntp Show NTP servers
ports Display all processes listening on open ports
process Display system processes
terminal Display terminal configuration parameters
timezone Show timezone
udi Show udi information
uptime Display system uptime
version Show version info

In other words, no "show run".

Hope this helps !!!

Re: ISE CLI Read-Only user

s.rashid — Tue, 25 Jan 2022 10:00:33 GMT

Hi,

The RO user cannot perform a “show run” command and changing the privilege level / command authorization to any user is not possible at the moment. The only workaround is to use an admin user.

Regards,

sohail