11-17-2017 01:21 AM
Hi,
I deploy an ISE for tacacs server and command authorization is used to control which command sets are allowed to execute for different privilege level.
Users in "FMC-admin" AD group will assigned to privilege 15 by shell profiles and permit to execute all commands by command sets result. Once one command is executed by admin users, a tacacs log was poped up and show which command is entered.
Users in "HR" AD group will assigned to privilege 6 by shell profiles and only allow to execute "show access-list" by command sets result. But HR user could execute any privilege level 6 commands and I can't see any logs like what happened for admin user when I enter commands .
It is a little confused me that does command sets authorization is only available for privilege 15?
AAA configuration:
aaa authentication login default group ise local
aaa authentication enable default group ise
aaa authorization config-commands
aaa authorization exec default group ise
aaa authorization commands 5 default group ise
aaa authorization commands 6 default group ise
aaa authorization commands 15 default group ise
Solved! Go to Solution.
11-18-2017 08:28 AM
Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.
Network devices might allow changing the privilege levels of commands. For example, Setting the Privilege Level for a Command in Cisco IOS
11-17-2017 09:23 AM
If the command authorization request comes into ISE and matched the correct command sets, then ISE should send Access-Reject or fail the request. If that is not the case, we need to check why ISE not authorizing it correctly.
Otherwise, this might be how your target NAD platform implementing its T+ enforcement or a bug on that platform.
11-18-2017 08:28 AM
Each of the CLI commands has its own privilege level and its command authorization is sent based on this privilege level rather than that of the user who attempting to run it. By default or in most implementations of Cisco IOS, commands are assigned to Level 0, 1, and 15. If not sure which ones are in use, you may specify them (0 ~ 15) all.
Network devices might allow changing the privilege levels of commands. For example, Setting the Privilege Level for a Command in Cisco IOS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide