Re: AAA command authorization on Priv 7

josephbdelossantos · ‎01-15-2025

Hi,

I've setup clearpass as AAA with our cisco devices. I have a group of users that authenticate with priv level 7. I need to add a privlege level 15 command to these users (reload and clear ip *) , how do I accomplish this?

Thank you

MHM Cisco World · ‎01-15-2025

https://notes.networklessons.com/security-privilege-levels-and-command-output

check this, you need to move command from level 15 to level 7

MHM

josephbdelossantos · ‎01-15-2025

hey MHM, I also tried adding the show running-config, the link does say that it executes perfectly but it wont show it because of the current priv level security, is there a way to get around that? Thanks

Flavio Miranda · ‎01-15-2025

@josephbdelossantos

Just use the command

username "user" privilege 15 password "password"

josephbdelossantos · ‎01-15-2025

Sorry I wasn't clear. I have a tacacs server that authenticates users and puts them on the correct privilege level. I just need to allow certain higher privilege commands to be run by these users aside from the usual priv 7 commands that are available. basically, allowing them all commands on priv 7 + reload and clear ip (but not show run, show start or config mode)

Flavio Miranda · ‎01-15-2025

@josephbdelossantos

This configuration is done on the TACACS side. In ISE for example, you can do something like "Work Centers > Device Administration > Policy Results > TACACS Command Sets"

You need to find how to do this in clearpass.

Rob Ingram · ‎01-15-2025

@josephbdelossantos on ClearPass create a TACACS Enforcement Profile, allowing the commands you want those users to run. In the "Service" match against an AD group those specific users are a member of and apply the previously created Enforcement Profile.

josephbdelossantos · ‎01-15-2025

I already have them configured in the tacacs side, I just want to know if I need some AAA command authorization to be configured in the switches.

MHM Cisco World · ‎01-15-2025

did you check link I share?

R1(config)#privilege exec level 7 XXXXXXXXXXXXX

MHM

josephbdelossantos · ‎01-15-2025

That works but that doesnt accept any arguments, "reload in X" , clear ip BGP *, etc

MHM Cisco World · ‎01-15-2025

move command reload and clear
then make clearpass permit only clear ip bgp and reload in X

MHM

josephbdelossantos · ‎01-15-2025

thats the problem, moving reload doesnt allow you to specify any arguments in the switch even with permitting said arguments in clearpass...

MHM Cisco World · ‎01-16-2025

Solution need clearpass and sw

1-Sw will move only ""reload"" and ""clear""

2-Sw config for command authz via clearpass

3-Clearpasd authz only part of clear' like clear ip bgp*

You do step3 and missing do step1 and 2

MHM

Rob Ingram · ‎01-15-2025

@josephbdelossantos configure aaa authorization on the switch, this instructs the switch to send a request to the TACACS+ server when a command is executed, and permit/deny as per your configuration.

Refer to the relevant section for the IOS-XE switch configuration in the guide below https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

Obviously ignore the ISE information, but the switch commands will be the same when using ClearPass as the TACACS server.

josephbdelossantos · ‎01-15-2025

Rob, do I still need to list down all the priv 15 commands I want priv 7 users to be able to execute regardless of what I permit in clearpass? I think clearpass only checks commands to allow to execute but the actual command still need to be executable at that priv level, meaning I still need to configure privilege exec level 7 reload , priv exec level 7 show run, etc on the switches..