https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4539704#M572424 <P>Thanks for the clarification. It was not clear that you were trying to enable command authorization on a Cisco switch.</P> <P>It sounds like you may not have the switch configured correctly for command authorization. I would suggest reviewing your ISE and switch configurations against the examples in the <A href="https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId-759088769" target="_blank" rel="noopener">Device Admin Prescriptive Deployment Guide</A>.</P> <P>If it is still not working, the community would need more information to help including:</P> <UL> <LI>Hardware/Software version of the switch</LI> <LI>Switch configuration related to AAA, TACACS+, and VTY lines</LI> <LI>Screenshots of Device Admin AuthC/AuthZ policy conditions</LI> </UL> <P>If the issue is urgent, please open a TAC case to investigate the issue in more detail.</P> Wed, 26 Jan 2022 21:56:59 GMT Greg Gibbs 2022-01-26T21:56:59Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4537107#M572378 <P>Hi friends, I created a new user going through the TUFFIN system in ISE with privilege of 3, in addition I limited the user to specific commands through the COMMAND SET.<BR />But it does not work, when I check in the logs&nbsp; I see that the request goes to SHELL PROFILE but does not go to MATCHED COMMAND SET.</P><P>command set &amp; shell profile can work together?<BR />In ISE 2.3.</P><P>Thank&nbsp;</P><P>Shlomo Yitzhak</P> Mon, 24 Jan 2022 17:54:11 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4537107#M572378 shlomoi 2022-01-24T17:54:11Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4537514#M572383 <P>Yes, ISE TACACS+ Authorization Policies can use a combination of Shell Profile and Command Sets. You can see an example of this for Cisco IOS Switches/Routers in the <A href="https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--1348517127" target="_blank" rel="noopener">Device Administration Prescriptive Deployment Guide</A>.</P> <P>The system or network device using ISE, however, must support TACACS+ Command Authorization. Doing a Google search, I could only find external <STRONG>Authentication</STRONG> for Tufin. You will need to confirm if Tufin supports external Authorization or if you need to configure local Authorization in Tufin based on the privilege level returned by the Shell Profile.</P> Mon, 24 Jan 2022 22:18:49 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4537514#M572383 Greg Gibbs 2022-01-24T22:18:49Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4537862#M572390 <P>Hi Greg really thanks for the help.<BR />I have set up a local user for TUFFIN with 3 privileges, but I want to allow TUFFIN to access only 5 commands.<BR />show clock<BR />show version<BR />show access-lists<BR />show ip route<BR />show ip interface<BR />And block everything else.<BR />I have set in COMMAND SET the policy with the commands I want to enable but I see&nbsp; (image attached) that the request goes to SHELL PROFILE but does not go to COMMAND SET. There may be a bug in the version ?</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ise_2.3.PNG" style="width: 766px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/142077iCDF085A3F21002F0/image-size/large?v=v2&amp;px=999" role="button" title="ise_2.3.PNG" alt="ise_2.3.PNG" /></span></P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P> Tue, 25 Jan 2022 08:19:47 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4537862#M572390 shlomoi 2022-01-25T08:19:47Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4538741#M572404 <P>As I said in my earlier post, the system or network device (i.e. TACACS+ client) using ISE must support TACACS+ Command Authorization.</P> <P>TACACS+ is essentially a suite of protocols and uses separate mechanisms for Authentication, Authorization, and Account. Just because a client supports external TACACS+ <STRONG>Authentication</STRONG>, does not mean it supports external TACACS+ <STRONG>Authorization</STRONG>.</P> <P>From the <A href="https://datatracker.ietf.org/doc/html/rfc8907" target="_blank" rel="noopener">RFC 8907</A> standard for TACACS+:</P> <P>"In command-based authorization, the <STRONG>client</STRONG> requests that the server determine whether a command is allowed by making an authorization request for each command. The "cmd" argument will have the command name as its value."</P> <P>As this communication is initiated by the <STRONG>client</STRONG> (Tufin, in this case), you need to verify that Tufin supports this external command authorization. You could also try to capture traffic from Tufin to confirm if you see the Authorization request being initiated.</P> Tue, 25 Jan 2022 22:17:09 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4538741#M572404 Greg Gibbs 2022-01-25T22:17:09Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4539176#M572417 <P>Hi Greg Thanks for the help.</P><P>I do not know the ISE so well and probably did not explain myself so well . TUFFIN asked me to make a user for it so they could access my Cisco switches and see&nbsp; a number of RUN commands. I'm not interested in connecting the TUFFIN to ISE. All they asked for was a local user on the ISE with privilege&nbsp; 3, and this user was limited to only 5 commands. I set up a user on the ISE with privilege 3 and limited through the COMMAND SET the SHOW commands I want.</P><P>&nbsp;</P><P>All I need is a local user on the ISE with privilege 3&nbsp; so that TUFFIN can access my Cisco switches and see 5&nbsp; SHOW commands. Because privilege 3 allow more RUN commands that I do not want the TUFFIN to see so I try to restrict it via the COMMAND SET and it does not work.</P><P>&nbsp;</P><P>Thanks shlomo itzhak&nbsp;</P> Wed, 26 Jan 2022 10:50:25 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4539176#M572417 shlomoi 2022-01-26T10:50:25Z https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4539704#M572424 <P>Thanks for the clarification. It was not clear that you were trying to enable command authorization on a Cisco switch.</P> <P>It sounds like you may not have the switch configured correctly for command authorization. I would suggest reviewing your ISE and switch configurations against the examples in the <A href="https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId-759088769" target="_blank" rel="noopener">Device Admin Prescriptive Deployment Guide</A>.</P> <P>If it is still not working, the community would need more information to help including:</P> <UL> <LI>Hardware/Software version of the switch</LI> <LI>Switch configuration related to AAA, TACACS+, and VTY lines</LI> <LI>Screenshots of Device Admin AuthC/AuthZ policy conditions</LI> </UL> <P>If the issue is urgent, please open a TAC case to investigate the issue in more detail.</P> Wed, 26 Jan 2022 21:56:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-2-3-command-set-amp-shell-profile-can-work-together/m-p/4539704#M572424 Greg Gibbs 2022-01-26T21:56:59Z