03-25-2020 01:07 PM
I am hoping someone can help me with a new ISE 2.6 implementation. We have TACACS+ device management working very well but now we have been asked to give very limited switch CLI access to some helpdesk staff. Basically they should be able to do any 'show' commands and then only change VLANs on switch interfaces.
I created a new "User Identity Group" called Network-Helpdesk and added a new test user to this group.
I then created a new "TACACS Command Set" called "HelpDeskCommands" and a new "TACACS Profile" called "Helpdesk Shell Profile".
Finally, I modified our "Device Admin Policy Set" to include a new "Authorization Policy" using the newly created "HelpDeskCommands" and "Helpdesk Shell Profile".
I was able to get the new test user authenticated with limited access and only able to do 'show' commands. I even tested denying certain 'show' commands and this worked for my test user as well.
At this point, I tested that this user couldn't do any configuration as I was getting "Command authorization failed." when trying to enter 'conf t'.
So I added "configure terminal" to the command set and after doing so it it lets the user in to configuration mode but doesn't seem to limit them in any way as to what they are able to configure. I also didn't see any authorization messages for the individual commands showing up in the ISE logs.
I'd like to allow these users to enter in to configuration mode but then only be able to configure gigabitethernet interfaces. Additionally, only certain commands within interface configuration mode. But again, once they do 'conf t' ISE seems to authorize them to do all commands. What am I missing?
Solved! Go to Solution.
03-25-2020 02:09 PM
Hi,
You have not configured your NAD to ask for authorization of config commands. Not sure what your NAD is, but for IOS and IOS-XE, the command would be "aaa authorization config-commands".
Regards,
Cristian Matei.
03-25-2020 02:09 PM
Hi,
You have not configured your NAD to ask for authorization of config commands. Not sure what your NAD is, but for IOS and IOS-XE, the command would be "aaa authorization config-commands".
Regards,
Cristian Matei.
03-26-2020 02:32 PM
Thank you Cristian! That was it. I was so focused on all the changes within ISE, I was forgetting to check the existing config on the switches. Adding 'aaa authorization configs-commands' immediately fixed my problem and I have been able to create a very limited command set. It is also logging all config changes as expected. Thanks again Cristian.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide