topic Re: TACACS - specific commands only in Network Access Control

TACACS - specific commands only

wannabCCIE — Fri, 26 Aug 2022 14:51:22 GMT

I would like to create a TACACS profile in ISE to allow only certain configuration commands / sub-commands. I have most of this working - but need some assistance. Thank you for your time.

What i'm trying to do is create a profile that allows a 'helpdesk' user to configure only EIGRP commands on the router. I have one to allow them to show eigrp also.

Grant Command Arguments

PERMIT enable 7

PERMIT config*

PERMIT exit

PERMIT router eigrp

PERMIT show ip eigrp*

I am able to verify I can only issue show ip eigrp and config t / router eigrp commands. I can't do things like 'show clock' 'show ip ospf' 'router ospf 1' etc. ONLY the above commands I can execute - that is working. The issue i'm having is when I am in the eigrp process. Say i issue "config t" then "router eigpr 10" - I can't cofigure any commands within the EIGRP process. They are not listed in my command set - so this makes sense. What i'd like to know is if there is an easy way to allow these EIGRP sub commands or do i really have to go in the process - type a ? to see the avaiable commands and then add the top level commands to the command set? I'd like to think there is a much easier way to do this than that.

thanks again for your help.

Re: TACACS - specific commands only

balaji.bandi — Fri, 26 Aug 2022 15:46:53 GMT

If you like to configure eigrp process that is the only way you can do as per i know, there is no short cut if you using RBAC.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html

Any character in the command in the command set may be "?", which matches any individual character that must exist in the requested command
Any character in the command in the command set may be "*", which matches zero or more characters in the requested command

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc12

Re: TACACS - specific commands only

wannabCCIE — Fri, 26 Aug 2022 16:14:16 GMT

Thanks for the help. I've just configured all the EIGRP sub commands and this works. Was just hoping there was a nice/easy way to include sub-commands. I also found another post about interface sub-commands. Basically asking the same thing - just for interface configuration. Same solution. Just have to add each sub-command to the command set.

Thanks again.