cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6918
Views
1
Helpful
2
Replies

command authorization by ISE

xili5
Cisco Employee
Cisco Employee

Hi,

I deploy an ISE for tacacs server and command authorization is used to control which command sets are allowed to execute for different privilege level.

Users in "FMC-admin" AD group will assigned to privilege 15 by shell profiles and permit to execute all commands by command sets result. Once one command is executed by admin users, a tacacs log was poped up and show which command is entered.

Users in "HR" AD group will assigned to privilege 6 by shell profiles and only allow to execute "show access-list" by command sets result. But HR user could execute any privilege level 6 commands and I can't see any logs like what happened for admin user when I enter commands .


It is a little confused me that does command sets authorization is only available for privilege 15?

AAA configuration:

aaa authentication login default group ise local

aaa authentication enable default group ise

aaa authorization config-commands

aaa authorization exec default group ise

aaa authorization commands 5 default group ise

aaa authorization commands 6 default group ise

aaa authorization commands 15 default group ise

AAA.png

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.

Network devices might allow changing the privilege levels of commands. For example, Setting the Privilege Level for a Command in Cisco IOS

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

If the command authorization request comes into ISE and matched the correct command sets, then ISE should send Access-Reject or fail the request. If that is not the case, we need to check why ISE not authorizing it correctly.

Otherwise, this might be how your target NAD platform implementing its T+ enforcement or a bug on that platform.

hslai
Cisco Employee
Cisco Employee

Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.

Network devices might allow changing the privilege levels of commands. For example, Setting the Privilege Level for a Command in Cisco IOS