Device Admin with RO and RW Command Sets

fatalXerror · ‎08-26-2021

Hi Guys,

I am creating a policy for device admin purposes. I would like to check if it is mandatory to create a shell profile and associate it to the policy or command sets alone will do? I just want to have a read-write, read-only, and custom command sets in my device admin policy.

Thanks

Greg Gibbs · ‎08-26-2021

This depends entirely on the device you're trying to manage, but most devices require a TACACS Profile of some sort to specify the basic privileges of the admin logging in.

See the Cisco ISE Device Administration Prescriptive Deployment Guide for more info and examples.

Arne Bier · ‎08-26-2021

@fatalXerror - command sets apply for Authorization (aaa authorization ....) whereas the shell profile sets the priv level. You can set a priv level to level 15, and then restrict commands. Likewise, set level to 7 and restrict commands. But you have to tell the IOS which level the EXEC is authorized to after authentication.

I always wondered what Read-Only means in the context of IOS. On the AireOS WLC there was a category called MONITOR - it means you can see everything but you can't add/edit/delete. So for IOS I assume you would say, allow level 15 and then deny the commands like "conf*" and "relo*"

Remember that commands use wildcards (* and ?) whereas arguments use regular expression syntax (e.g. ^[1234]. etc.)

Device Admin with RO and RW Command Sets

Enter the set BOOT command to

DHCP relay agent check command

事象：ASDM Unable to launch device manager from <IP address>

ISE device admin Licnese

How to Deploy ISE Device Admin with Duo MFA