cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1715
Views
1
Helpful
2
Replies
Highlighted
Cisco Employee

command authorization by ISE

Hi,

I deploy an ISE for tacacs server and command authorization is used to control which command sets are allowed to execute for different privilege level.

Users in "FMC-admin" AD group will assigned to privilege 15 by shell profiles and permit to execute all commands by command sets result. Once one command is executed by admin users, a tacacs log was poped up and show which command is entered.

Users in "HR" AD group will assigned to privilege 6 by shell profiles and only allow to execute "show access-list" by command sets result. But HR user could execute any privilege level 6 commands and I can't see any logs like what happened for admin user when I enter commands .


It is a little confused me that does command sets authorization is only available for privilege 15?

AAA configuration:

aaa authentication login default group ise local

aaa authentication enable default group ise

aaa authorization config-commands

aaa authorization exec default group ise

aaa authorization commands 5 default group ise

aaa authorization commands 6 default group ise

aaa authorization commands 15 default group ise

AAA.png

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: command authorization by ISE

Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.

Network devices might allow changing the privilege levels of commands. For example, Setting the Privilege Level for a Command in Cisco IOS

View solution in original post

2 REPLIES 2
Cisco Employee

Re: command authorization by ISE

If the command authorization request comes into ISE and matched the correct command sets, then ISE should send Access-Reject or fail the request. If that is not the case, we need to check why ISE not authorizing it correctly.

Otherwise, this might be how your target NAD platform implementing its T+ enforcement or a bug on that platform.

Cisco Employee

Re: command authorization by ISE

Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.

Network devices might allow changing the privilege levels of commands. For example, Setting the Privilege Level for a Command in Cisco IOS

View solution in original post