- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2023 10:12 AM - edited 12-08-2023 10:23 AM
Can ISE limit restconf commands sent to network devices? Essentially a program was built to clear arp on ASRs and also shut/no shut specific interfaces on C9500s. Can we limit the commands to just that via ISE? I'm not tasked with implementing this although I may end up eventually doing it. I noticed in the command set my colleagues set up they are using standard CLI commands for the permit action. Does ISE have an underlying mapping or do they need to put in the actual restconf syntax? Any help or links to documentation appreciated. Did a quick search last night before I got off work and didn't find much.
Solved! Go to Solution.
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2023 01:24 PM
NETCONF and RESTCONF do not provide the ability to perform command authorization from a AAA server. You can authenticate and authorize the user, but the only external authorization method available is privilege level.
To provide more granular RBAC for NETCONF/RESTCONF, you would need to look at Model Based AAA via NACM.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2023 01:24 PM
NETCONF and RESTCONF do not provide the ability to perform command authorization from a AAA server. You can authenticate and authorize the user, but the only external authorization method available is privilege level.
To provide more granular RBAC for NETCONF/RESTCONF, you would need to look at Model Based AAA via NACM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2023 08:37 PM
Yes, Cisco Identity Services Engine (ISE) can be configured to limit or control RESTCONF (RESTful Network Configuration) commands on network devices. RESTCONF is an HTTP-based protocol that provides a programmatic interface for interacting with network devices.
In simple terms:
Define Policies in ISE:
- ISE allows you to define policies that control what actions are allowed or denied for different users or devices.
Create Authorization Policies:
- Create authorization policies in ISE that specify what RESTCONF commands or operations are permitted for different users or groups.
Map Policies to Network Devices:
- Associate these policies with specific network devices or device groups.
Enforce Access Control:
- ISE acts as an access control point, enforcing the policies you've defined. If a user tries to execute RESTCONF commands that are not allowed by the policies, ISE will deny the access.
Monitoring and Logging:
- ISE provides monitoring and logging capabilities, allowing you to track and audit the RESTCONF activities on the network devices.
