topic Re: TACACS command exception for device in ISE profile in Network Access Control

TACACS command exception for device in ISE profile

rakesh nair — Wed, 11 Jan 2023 20:11:23 GMT

We are usinf Cisco ISE as TACACS server and i need to allow some commands to work on our read only profile .

Can you please let me know how can i give exception for command show cable-diagnostics tdr int Gi1/0/14 through ISE.

End user having read only access and cannot go to enable mode but need to check the outputs of this command.

Can anyone suggest

balaji.bandi — Wed, 11 Jan 2023 20:38:46 GMT

May be you need to elevate user to a higher priv level and restricts the commands and allow any additional command required for the user :

below example guide provide some steps and concept for your to try using test user.

Karsten Iwen — Wed, 11 Jan 2023 20:47:46 GMT

By default this is a Level15 command and I am not sure if we can change that. The following approach would work:

Perhaps someone suggests a different way to achieve this.

rakesh nair — Thu, 12 Jan 2023 08:49:23 GMT

Can you tell me how to perform these steps in ISE and switch

rakesh nair — Thu, 12 Jan 2023 09:41:32 GMT

I think creating a new shell profile with privilege 15 may help, right

balaji.bandi — Thu, 12 Jan 2023 11:18:45 GMT

yes that what we suggested before....test with new user ..rather mess up with exiting users.

if that works you can replicate for other user if needed more users same requirement.

MHM Cisco World — Thu, 12 Jan 2023 11:22:10 GMT

please update us last status

rakesh nair — Thu, 12 Jan 2023 12:24:14 GMT

I have created another user and gave him priv 15 shell profile with conf terminal deny and it worked

balaji.bandi — Thu, 12 Jan 2023 14:02:29 GMT

Good stuf...thank you for the feedback and marked as solution...