Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3675
Views
0
Helpful
2
Replies

Device Admin with RO and RW Command Sets

fatalXerror
Level 5
Level 5

‎08-26-2021 08:22 AM

Hi Guys,

I am creating a policy for device admin purposes. I would like to check if it is mandatory to create a shell profile and associate it to the policy or command sets alone will do? I just want to have a read-write, read-only, and custom command sets in my device admin policy.

Thanks

0 Helpful
2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

‎08-26-2021 03:53 PM

This depends entirely on the device you're trying to manage, but most devices require a TACACS Profile of some sort to specify the basic privileges of the admin logging in.

See the Cisco ISE Device Administration Prescriptive Deployment Guide for more info and examples.

0 Helpful

Arne Bier
VIP
VIP

‎08-26-2021 05:31 PM

@fatalXerror  - command sets apply for Authorization (aaa authorization ....) whereas the shell profile sets the priv level. You can set a priv level to level 15, and then restrict commands. Likewise, set level to 7 and restrict commands. But you have to tell the IOS which level the EXEC is authorized to after authentication.

I always wondered what Read-Only means in the context of IOS. On the AireOS WLC there was a category called MONITOR - it means you can see everything but you can't add/edit/delete. So for IOS I assume you would say, allow level 15 and then deny the commands like "conf*" and "relo*"

Remember that commands use wildcards (* and ?) whereas arguments use regular expression syntax (e.g. ^[1234]. etc.)

0 Helpful
Customers Also Viewed These Support Documents