thanks for your reply , now user can auth via TACACS from ISE ,
but i have another issue for detail behavior , for example :
i want this user cannot config lldp via telnet , and i done configurations like below :
configure TACACS command like this :
and configure authorization policy like this , and i am sure this rule be hit when this user login via telnet :
but user still can config lldp well via telnet :
this behavior is not my expectation , i do not know why ? any configurations i miss ? or some setting i need to adjust ?
thanks for your reply , after i checked the logs , there is nothing in "matched command set"
but i do configured the rule and make sure it be hit , it is called "tacacs for low power" :
why it cannot hit this command sets ? any setting i need to adjust ? or some configurations i miss ?
The authorization you showed in your screenshot is one for a shell profile, because its overview has
| Message Text | Device-Administration: Session Authorization succeeded |
and one of the steps gives --
| 15017 | Selected Shell Profile |
Below shows T+ live logs with T+ authC, T+ shell authZ, and T+ command authZ.
Here shows the auth detail report of one of command authZ requests from the above.
Its overview has
| Message Text | Device-Administration: Command Authorization succeeded |
And, its steps have:
| 15018 | Selected Command Set | |
| 13024 | Command matched a Permit rule |
Thus, it does not appear your NAD sending command authorization at all.
