Solved: Cisco ISE TACACS Query

sondevi · ‎03-13-2019

Hi Team,

I have query regarding ISE TACACS device admin configuration:

1. what is the difference between "Default Priv" and "Max priv" levels in shell profile.

2. for a CU deployment, just to make the easy deployment, can we restrict only on basis of command sets for different users access group and configure the single shell profile with static 15/15 value for "Default Priv" and "Max priv" levels.

I am more in favour of security/restriction over ease ability if defining the different shell profiles can make difference.

paul · ‎03-13-2019

Yes just sent both to 15 and do command authorization to grant the users what access they need. I believe the default priv. level is the initial priv level the user is put in. If the user chooses to elevate (with the enable command as an example) the max priv value is checked to see if that is allowed. I don't use the concept of priv level any more and everyone gets 15 from the start.

View solution in original post

paul · ‎03-13-2019

Yes just sent both to 15 and do command authorization to grant the users what access they need. I believe the default priv. level is the initial priv level the user is put in. If the user chooses to elevate (with the enable command as an example) the max priv value is checked to see if that is allowed. I don't use the concept of priv level any more and everyone gets 15 from the start.

sondevi · ‎03-13-2019

Thanks Paul for quick reply. same thought.