Device Admin with RO and RW Command Sets

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2021 08:22 AM
Hi Guys,
I am creating a policy for device admin purposes. I would like to check if it is mandatory to create a shell profile and associate it to the policy or command sets alone will do? I just want to have a read-write, read-only, and custom command sets in my device admin policy.
Thanks
- Labels:
-
Identity Services Engine (ISE)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2021 03:53 PM
This depends entirely on the device you're trying to manage, but most devices require a TACACS Profile of some sort to specify the basic privileges of the admin logging in.
See the Cisco ISE Device Administration Prescriptive Deployment Guide for more info and examples.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2021 05:31 PM
@fatalXerror - command sets apply for Authorization (aaa authorization ....) whereas the shell profile sets the priv level. You can set a priv level to level 15, and then restrict commands. Likewise, set level to 7 and restrict commands. But you have to tell the IOS which level the EXEC is authorized to after authentication.
I always wondered what Read-Only means in the context of IOS. On the AireOS WLC there was a category called MONITOR - it means you can see everything but you can't add/edit/delete. So for IOS I assume you would say, allow level 15 and then deny the commands like "conf*" and "relo*"
Remember that commands use wildcards (* and ?) whereas arguments use regular expression syntax (e.g. ^[1234]. etc.)
