topic Re: Catalyst 9800 GUI TACACS+ Command Set in Wireless

Catalyst 9800 GUI TACACS+ Command Set

rezaalikhani — Sat, 03 Feb 2024 15:43:58 GMT

Hi everybody;

Based on practical studies, Catalyst 9800 WLCs support command authorization for GUI access. Unfortunately, I am currently unable to set up the application of a defined Command Set in ISE for a user in GUI mode. Here is my configuration:

ISE side:

WLC side:

With the above configuration, when a user in the 'Helpdesks' group logs into the WLC GUI, he has the ability to perform actions equivalent to those of a user with admin privileges.

Is there any essential configuration that I may be overlooking?

Thanks

Re: Catalyst 9800 GUI TACACS+ Command Set

Ruben Cocheno — Sat, 03 Feb 2024 16:40:35 GMT

@rezaalikhani

Try to change Privilege to 1

Re: Catalyst 9800 GUI TACACS+ Command Set

Aref Alsouqi — Sat, 03 Feb 2024 18:16:54 GMT

I don't think that will be supported as you configured privilege 15 in TACACS profile. Privilege 15 provides full access in this case, the guide mention that any user between privilege level 1 - 14 can only view the "Monitor" tab in the WLC, and any with privilege level 15 will be granted full admin access.

"Users with privilege level 15 and a command set that allows specific commands only are not supported. The user can still be able to execute configuration changes through the WebUI"
Configure RADIUS and TACACS+ for GUI and CLI Authentication on 9800 Wireless LAN Controllers - Cisco