Solved: Re: Tacacs+ on Cisco ISE: Create a group of users allowed just to edit the access vlan

andreribeiro · ‎09-11-2018

Hello,

I would like to create a rule to allow a users access to a switch and do the following commands:

show run

show int status

conf ter

interface giX/X/XX

switchport access vlan XXX
wr

Just this.

I tried the following:

Create a group with privilege 10 and with command sets allow these specific commands but doesn't work. After login I'm able to do 'sh int status' but not able to type 'sh run' and also not abel to 'conf ter'.

There is any ideais how should I solve this issue?

Thank you

paul · ‎09-11-2018

Ditch the privilege level idea. That is an archaic control that goes away once you start doing command authorization. Enable command authorization for level 15 commands and enabled config-command authorization:

aaa authorization commands 15 default group tacacs+ local

aaa authorization config-commands

Then in your command set profile allow:

show

configure terminal

interface gi*

switchport access vlan*

end

You might need to play with that a bit, but use the TACACS live logs to see what commands are being sent for approval and modify as needed.

View solution in original post

paul · ‎09-11-2018