Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2422
Views
15
Helpful
2
Replies

Help with TACACS+ Command Sets in ISE 2.6

Go to solution
Craig Hunt
Level 1
Level 1

‎03-25-2020 01:07 PM

I am hoping someone can help me with a new ISE 2.6 implementation.  We have TACACS+ device management working very well but now we have been asked to give very limited switch CLI access to some helpdesk staff.  Basically they should be able to do any 'show' commands and then only change VLANs on switch interfaces.

I created a new "User Identity Group" called Network-Helpdesk and added a new test user to this group.

I then created a new "TACACS Command Set" called "HelpDeskCommands" and a new "TACACS Profile" called "Helpdesk Shell Profile". 

Finally, I modified our "Device Admin Policy Set" to include a new "Authorization Policy" using the newly created "HelpDeskCommands" and "Helpdesk Shell Profile".

I was able to get the new test user authenticated with limited access and only able to do 'show' commands. I even tested denying certain 'show' commands and this worked for my test user as well.

At this point, I tested that this user couldn't do any configuration as I was getting "Command authorization failed." when trying to enter 'conf t'.

So I added "configure terminal" to the command set and after doing so it it lets the user in to configuration mode but doesn't seem to limit them in any way as to what they are able to configure.  I also didn't see any authorization messages for the individual commands showing up in the ISE logs.

I'd like to allow these users to enter in to configuration mode but then only be able to configure gigabitethernet interfaces.  Additionally, only certain commands within interface configuration mode.  But again, once they do 'conf t' ISE seems to authorize them to do all commands.  What am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-25-2020 02:09 PM

Hi,

 

   You have not configured your NAD to ask for authorization of config commands. Not sure what your NAD is, but for IOS and IOS-XE, the command would be "aaa authorization config-commands".

 

Regards,

Cristian Matei.

View solution in original post

2 Replies 2

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-25-2020 02:09 PM

Hi,

 

   You have not configured your NAD to ask for authorization of config commands. Not sure what your NAD is, but for IOS and IOS-XE, the command would be "aaa authorization config-commands".

 

Regards,

Cristian Matei.

Go to solution
Craig Hunt
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 02:32 PM

Thank you Cristian!  That was it.  I was so focused on all the changes within ISE, I was forgetting to check the existing config on the switches.  Adding 'aaa authorization configs-commands' immediately fixed my problem and I have been able to create a very limited command set.  It is also logging all config changes as expected.  Thanks again Cristian.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents