Solved: Re: about ISE 3.1 TACACS Command set

tjdwns4111 · ‎01-25-2024

The Group's default privilege and max privilege is 15.

and i set a command at Tacacs Command set like this

and when i login at network device and, when i enter [configure terminal], It worked as set up.

but when i enter ip route x.x.x.x x.x.x.x x.x.x.x or interface gi x/x/x it still work

how can i deny the command ?

Aref Alsouqi · ‎01-30-2024

That's right, but please also add the command "aaa authorization config-commands" as well. You might have that command applied by default int he hidden configs, but please apply it just in case to enable the config t authorization.

View solution in original post

Aref Alsouqi · ‎01-26-2024

If you plan is to allow config t and the allow only specific commands then you can either create the allowed commands list or the deny commands list. For instance, if you want to allow config t alongside "enable" command you can add the "enable" command below the config t command. If you want to deny "ip route" command you can add a deny rule with the "ip route" command. You can also rely on rely on wildcards, for instance, you can add a deny rule with "ip*" which would deny any command that starts with "ip" followed by any character. Another way to deal with this would be to create the list of commands you don't want to allow, and then tick the check box "Permit any command that is not listed below".

ahollifield · ‎01-26-2024

Be sure you also have command authorization configured on the NAD.

MHM Cisco World · ‎01-26-2024

Can I see the config of device you admin by ISE ?

Thanks

MHM

MHM Cisco World · ‎01-27-2024

Aaa authorization command 15 ......<- this must add in global mode

Authorization command 15 ......<- this must add under vty

Your tacacs as I see correct but these commands make router send command to ISE to authz it

MHM

tjdwns4111 · ‎01-27-2024

my config of device is like this.

aaa group server tacacs+ TACACS

server name x.x.x.x
server name x.x.x.x
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0

aaa authentication login default group TACACS local
aaa authentication enable default group TACACS enable
aaa authorization exec default group TACACS local
aaa authorization commands 15 default group TACACS local
aaa accounting exec TACACS start-stop group TACACS
aaa accounting network TACACS start-stop group TACACS

aaa accounting commands 0 default start-stop group TACACS
aaa accounting commands 1 default start-stop group TACACS
aaa accounting commands 5 default start-stop group TACACS
aaa accounting commands 15 default start-stop group TACACS

tacacs-server directed-request
tacacs server x.x.x.x
address ipv4 x.x.x.x
key xxxxxx
tacacs server x.x.x.x
address ipv4 x.x.x.x
key xxxxxx

and my ISE default privilege is 15, and max privilege is also 15

MHM Cisco World · ‎01-28-2024

What about vty ' can you share config

Thanks

MHM

tjdwns4111 · ‎01-28-2024

my vty config is this

line con 0
session-timeout 15
exec-timeout 15 0
logging synchronous
exec prompt timestamp
stopbits 1
line vty 0 4
session-timeout 15
access-class xxx in vrfname Mgmt-vrf
exec-timeout 15 0
logging synchronous
exec prompt timestamp
transport input ssh
line vty 5 15
session-timeout 15
access-class xxx in vrfname Mgmt-vrf
exec-timeout 15 0
logging synchronous
exec prompt timestamp
transport input ssh
line vty 16 31
transport input none

MHM Cisco World · ‎01-29-2024

I dont see anything wrong in your config

Can you

Debug aaa authorization

And try access and use command (deny by ise) abd command (permit by ise)

Thanks

MHM

Aref Alsouqi · ‎01-29-2024

You would need to add the command "aaa authorization config-commands", and also I would highly recommend to add the keyword "if-authenticated" at the end of "aaa authorization exec" and "aaa authorization commands" commands to allow the net admins to be authorized on the network devices if ISE should go down for any reason after they have been authenticated.

tjdwns4111 · ‎01-29-2024

thank u for your reply

you mean i have to set the cofig like this?

aaa authorization exec default group TACACS local if-authenticated

aaa authorization commands 15 default group TACACS local if-authenticated

I will test it and let you know the result. bb

Aref Alsouqi · ‎01-30-2024

That's right, but please also add the command "aaa authorization config-commands" as well. You might have that command applied by default int he hidden configs, but please apply it just in case to enable the config t authorization.

tjdwns4111 · ‎01-30-2024

Only the enable password step is added, and when i enter the config terminal, commands that are not permitted are still work.

tjdwns4111 · ‎01-30-2024

thank u so much! it worked very well!!!

you are god to me ;)b

MHM Cisco World · ‎01-31-2024

Hi @tjdwns4111

Can you share

Debug aaa authorization

Since it work (I suspect about if-auth)

Note:- make sure you not use local user' use username that only apply in ISE' there is chance that ISE not receiving authz but let us more sure

Thanks

MHM