Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2601
Views
6
Helpful
3
Replies

13029 Requested privilege level too high

Go to solution
JaVa808
Level 1
Level 1

‎06-11-2020 06:19 AM

I'm running ISE 2.7 and testing a read-only account to scan a network device (2960 switch) to do vulnerability scans. 

Ext Id Source is Active Directory and following TACACS setup below: 

 

TACACS Command Set

  • Permit All w/Permit any command that is not listed below
  • Read Only with PERMIT SHOW defined. Box is unchecked “Permit any command that is not listed below”

                               

TACACS Profile

  • Privilege 0 = default 0 and max is 0
  • Privilege 1 = default is 0 and max is 1
  • Privilege 7 = default is 0 and max is 7
  • Privilege 15 = default is 15 and max is 15

Device Admin Policy Set

Authentication

  • Default - AD (external Identity source)

Authorization

  • Device RW = Network-ReadWrite + Permit all  & Shell Privilege 15
  • Device RO = Network-ReadOnly + Read Only & Shell Privilege 0
  • Default – DENY ALL

And when I drill down to the detailed information in TACACS Log it stops with 13209 Requested privilege level too high. 

Not sure what the next steps are if I need to change Shell Privilege on Authorization? or is this directed at something else. 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎06-11-2020 09:04 AM

Hi @JaVa808 

 

Privilege means nothing when you have Command Authorization. Remove Privilege 0, and give Priv 15.

You can verify that the user will not be able to run anything except the show command (that you allowed).

 

I personally do not recommend various privileges when all control is delivered through Command Authorization. The 'show' command is actually really tricky such that 'show clock' is priv 1 but 'show run' is priv 15. So, it's not a good approach.

 

Try it out. If you have another use-case, we can discuss here.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to JaVa808

‎06-15-2020 10:27 AM

@JaVa808 

It's (assigning priv 15 and restrictive command-set) not a "hack" (workaround). It's a legit method of doing things while maintaining access control.

In the article you linked, they mentioned the following:

If you have Cisco ACS (TACACS+) server, it would be easy to control permitted commands with the dedicated user account for the Nessus scanner.

If you don’t have Cisco ACS server, try the following way to achieve the goal.

The method was simply assigning custom privileges to certain commands like 'show run'. There are many reasons why this method should not be adopted in the presence of a TACACS server. But the best one was the one that made you open the case :)

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎06-11-2020 09:04 AM

Hi @JaVa808 

 

Privilege means nothing when you have Command Authorization. Remove Privilege 0, and give Priv 15.

You can verify that the user will not be able to run anything except the show command (that you allowed).

 

I personally do not recommend various privileges when all control is delivered through Command Authorization. The 'show' command is actually really tricky such that 'show clock' is priv 1 but 'show run' is priv 15. So, it's not a good approach.

 

Try it out. If you have another use-case, we can discuss here.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Go to solution
JaVa808
Level 1
Level 1
In response to Anurag Sharma

‎06-15-2020 09:24 AM

Thanks Anurag for your reply. 

So in the policy - change it to Priv 15

then TACACS Command Set define the commands that the scanner needs to do a deep dive on?

 

Also I did stumble upon this read, https://www.ipbalance.com/security/why-tenable-nessus-requires-full-level-15-access-for-cisco-devices-dont-need-it/

I wonder if at this point i define all those or just give it Priv 15. probably the second for less work.

0 Helpful

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to JaVa808

‎06-15-2020 10:27 AM

@JaVa808 

It's (assigning priv 15 and restrictive command-set) not a "hack" (workaround). It's a legit method of doing things while maintaining access control.

In the article you linked, they mentioned the following:

If you have Cisco ACS (TACACS+) server, it would be easy to control permitted commands with the dedicated user account for the Nessus scanner.

If you don’t have Cisco ACS server, try the following way to achieve the goal.

The method was simply assigning custom privileges to certain commands like 'show run'. There are many reasons why this method should not be adopted in the presence of a TACACS server. But the best one was the one that made you open the case :)

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful
Customers Also Viewed These Support Documents