Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2187
Views
0
Helpful
3
Replies

Cisco ISE Tacacs Policies Set

PutmanoAIT
Level 1
Level 1

‎03-22-2018 07:23 PM - edited ‎02-21-2020 10:51 AM

I have configure Cisco ISE for TACACS server. I configured command set to limit some show command and shell profile to maximum the privilege to 7 for HelpDesk Admin. The command set policy is working fine but shell profile seem not working. I logged into the switch and show privilege, I'm still in privilege 15.I'm not sure where I'm wrong. Please kindly see the switch configuration as below:

tacacs-server timeout 1
tacacs-server host 10.156.141.69
tacacs-server key 0 P@ssw0rd

aaa authentication login default group tacacs+ local none
aaa authentication enable default group tacacs+ local none
aaa authorization config-commands
aaa authorization exec ISE group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 7 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


line vty 0 4
authorization exec ISE
transport preferred ssh
transport input ssh

line vty 5 15
authorization exec ISE
transport preferred ssh
transport input ssh

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎03-22-2018 07:37 PM - edited ‎03-22-2018 07:38 PM

Hi

Can you share the policy you're pushing from your tacacs server?

Just for your information. If you want to use privilege levels it has to be configured locally the device if you're pushing level 7 from tacacs.

Using tacacs you can push level 15 and filter commands for users using command-sets

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

PutmanoAIT
Level 1
Level 1
In response to Francesco Molino

‎03-22-2018 07:47 PM

Please kindly see the configuration as attach file.

 

Thank for your kindly support.

Preview file
46 KB
Preview file
66 KB
Preview file
50 KB
Preview file
51 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to PutmanoAIT

‎03-23-2018 04:47 PM

How do you connect on the switch?

Your command authentication enable should be:
aaa authentication enable default group tacacs+ enable

On ISE, your user should have the password set on enable field.
When you're logged in, you need to type enable 7 and type your password. If you try enable, by default it will be enable 15 and you shouldn't be able to log in

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents