03-13-2019 09:38 AM
Hi Team,
I have query regarding ISE TACACS device admin configuration:
1. what is the difference between "Default Priv" and "Max priv" levels in shell profile.
2. for a CU deployment, just to make the easy deployment, can we restrict only on basis of command sets for different users access group and configure the single shell profile with static 15/15 value for "Default Priv" and "Max priv" levels.
I am more in favour of security/restriction over ease ability if defining the different shell profiles can make difference.
Solved! Go to Solution.
03-13-2019 10:27 AM
Yes just sent both to 15 and do command authorization to grant the users what access they need. I believe the default priv. level is the initial priv level the user is put in. If the user chooses to elevate (with the enable command as an example) the max priv value is checked to see if that is allowed. I don't use the concept of priv level any more and everyone gets 15 from the start.
03-13-2019 10:27 AM
Yes just sent both to 15 and do command authorization to grant the users what access they need. I believe the default priv. level is the initial priv level the user is put in. If the user chooses to elevate (with the enable command as an example) the max priv value is checked to see if that is allowed. I don't use the concept of priv level any more and everyone gets 15 from the start.
03-13-2019 11:47 PM
Thanks Paul for quick reply. same thought.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide