cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1729
Views
3
Helpful
15
Replies

about ISE 3.1 TACACS Command set

tjdwns4111
Level 1
Level 1

The Group's default privilege and max privilege is 15.

and i set a command at Tacacs Command set like this

 
 

tjdwns4111_2-1706251643733.png

 

and when i login at network device and, when i enter [configure terminal], It worked as set up.

but when i enter ip route x.x.x.x x.x.x.x x.x.x.x or interface gi x/x/x it still work 

how can i deny the command ?

1 Accepted Solution

Accepted Solutions

That's right, but please also add the command "aaa authorization config-commands" as well. You might have that command applied by default int he hidden configs, but please apply it just in case to enable the config t authorization.

View solution in original post

15 Replies 15

If you plan is to allow config t and the allow only specific commands then you can either create the allowed commands list or the deny commands list. For instance, if you want to allow config t alongside "enable" command you can add the "enable" command below the config t command. If you want to deny "ip route" command you can add a deny rule with the "ip route" command. You can also rely on rely on wildcards, for instance, you can add a deny rule with "ip*" which would deny any command that starts with "ip" followed by any character. Another way to deal with this would be to create the list of commands you don't want to allow, and then tick the check box "Permit any command that is not listed below".

Be sure you also have command authorization configured on the NAD.

Can I see the config of device you admin by ISE ?

Thanks

MHM

Aaa authorization command 15 ......<- this must add in global mode 

Authorization command 15 ......<- this must add under vty

Your tacacs as I see correct but these commands make router send command to ISE to authz it

MHM

my config of device is like this.

aaa group server tacacs+ TACACS

 server name x.x.x.x
 server name x.x.x.x
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface GigabitEthernet0/0

aaa authentication login default group TACACS local
aaa authentication enable default group TACACS enable
aaa authorization exec default group TACACS local
aaa authorization commands 15 default group TACACS local
aaa accounting exec TACACS start-stop group TACACS
aaa accounting network TACACS start-stop group TACACS

aaa accounting commands 0 default start-stop group TACACS
aaa accounting commands 1 default start-stop group TACACS
aaa accounting commands 5 default start-stop group TACACS
aaa accounting commands 15 default start-stop group TACACS

tacacs-server directed-request
tacacs server x.x.x.x
 address ipv4 x.x.x.x
 key xxxxxx
tacacs server x.x.x.x
 address ipv4 x.x.x.x
 key xxxxxx

 

and my ISE default privilege is 15, and max privilege is also 15 

What about vty ' can you share config 

Thanks 

MHM

my vty config is this

 

line con 0
session-timeout 15
exec-timeout 15 0
logging synchronous
exec prompt timestamp
stopbits 1
line vty 0 4
session-timeout 15
access-class xxx in vrfname Mgmt-vrf
exec-timeout 15 0
logging synchronous
exec prompt timestamp
transport input ssh
line vty 5 15
session-timeout 15
access-class xxx in vrfname Mgmt-vrf
exec-timeout 15 0
logging synchronous
exec prompt timestamp
transport input ssh
line vty 16 31
transport input none

I dont see anything wrong in your config 

Can you 

Debug aaa authorization 

And try access and use command (deny by ise) abd command (permit by ise)

Thanks 

MHM

You would need to add the command "aaa authorization config-commands", and also I would highly recommend to add the keyword "if-authenticated" at the end of "aaa authorization exec" and "aaa authorization commands" commands to allow the net admins to be authorized on the network devices if ISE should go down for any reason after they have been authenticated.

thank u for your reply 

you mean i have to set the cofig like this?

aaa authorization exec default group TACACS local if-authenticated

aaa authorization commands 15 default group TACACS local if-authenticated

 

I will test it and let you know the result. bb

That's right, but please also add the command "aaa authorization config-commands" as well. You might have that command applied by default int he hidden configs, but please apply it just in case to enable the config t authorization.

Only the enable password step is added, and when i enter the config terminal, commands that are not permitted are still work.

thank u so much! it worked very well!!!

you are god to me ;)b

Hi @tjdwns4111 

Can you share 

Debug aaa authorization 

Since it work  (I suspect about if-auth)

Note:- make sure you not use local user' use username that only apply in ISE' there is chance that ISE not receiving authz but let us more sure

Thanks

MHM