Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
8
Helpful
8
Replies

AAA Exclude specific command for Privileges 15 User

Go to solution
karenmelkonyanstu
Level 1
Level 1

‎04-19-2023 09:06 AM

Hi Guys,

Let's say I want to create user with privileges 15 but I don't want him to be able to execute  particular command  "debut ip packet"
How can I do that without having TACACS Server?

Thanks in advance.

Labels:
1 Accepted Solution

Accepted Solutions
8 Replies 8

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎04-19-2023 09:52 AM

Without TACACS server I don't think you can do command authorization locally.

0 Helpful

Go to solution
karenmelkonyanstu
Level 1
Level 1
In response to Nancy Saini

‎04-19-2023 09:56 AM

OK If I had TACACS Server - should I configure it ONLY on TACACS Server?
Or is there anything else besides bellow command I would have to configure on the switch\router?
aaa group server tacacs+ TACACS-SERVER
server-private 10.84.45.37 key 7 XXXXXXXXXXXXXXX
server-private 10.84.45.18 key 7 XXXXXXXXXXXXXXX
ip tacacs source-interface Vlan177
!
aaa authentication login default group TACACS-SERVER local
aaa authentication enable default group TACACS-SERVER enable
aaa authorization exec default group TACACS-SERVER if-authenticated
aaa authorization commands 15 default group TACACS-SERVER if-authenticated
!
aaa session-id common

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee
In response to karenmelkonyanstu

‎04-19-2023 10:08 AM

First define the TACACS server and check reachability using command "test aaa group TACACS-SERVER <username> <password> new-code". Check if the request is reaching the TACACS server. Once confirmed then define remaining AAA commands.

The configuration looks fine but certain network devices may require some additional attributes to be pushed from TACACS server.

If this doesn't work, open a case with TAC for further troubleshooting.

Go to solution
karenmelkonyanstu
Level 1
Level 1
In response to Nancy Saini

‎04-20-2023 02:22 AM - edited ‎04-20-2023 02:24 AM

1)Thanks for the response.
Just to confirm - when you say "define remaining AAA Commands" you mean to do it on the actual TACACS Server?
Or do you mean define some other AAA Commands on the router itself?
My main concern is HOW to prohibit one particular command for a particular user even if he has privilege 15.
So if I want for a TACACS User Bob to have prohibited "debug ip packet" command  - I should do some configuration on the actual TACACS Server?


2"The configuration looks fine but certain network devices may require some additional attributes to be pushed from TACACS server."

What are those certain network devices ?

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee
In response to karenmelkonyanstu

‎04-20-2023 10:02 AM

To permit or deny commands on ISE, as @MHM Cisco World  mentioned you have to define under TACACS command set in Policy Elements.

"The configuration looks fine but certain network devices may require some additional attributes to be pushed from TACACS server." - here I was referring to NXOS platform. It needs certain additional attributes to be pushed in shell profile from ISE.

Go to solution
Arne Bier
VIP
VIP

‎04-20-2023 08:25 PM

@karenmelkonyanstu - you asked how this could be done without TACACS+.  There is a feature called Role Based CLI - it's a very old feature but I reckon it's still in IOS today. I have never used it myself. The idea is that you create "views" for a user after they have logged in - and you can be very granular about what that used can see and do.

Go to solution
karenmelkonyanstu
Level 1
Level 1
In response to Arne Bier

‎04-21-2023 03:46 AM

Hi Arne,

Thanks - good to know.

0 Helpful
Customers Also Viewed These Support Documents