Solved: How to give read only access to Cisco IOS on ISE

farooqateeq123 · ‎06-05-2020

Hi All,

We have ISE deployed with Device admin persona active, we have users in active directory to administer ISE and network devices. I want to configure a user to have read only access to Cisco IOS devices, who can run only show commands including the show running-config command.

I have created a user, assigned it to read-only users group, created a command set and allowed the show command with * in attributes column.

I can able to authenticate into the devices, and can run show commands, except show running-config.

Please advice, how to proceed.

Anurag Sharma · ‎06-05-2020

Hi @farooqateeq123 ,

Give the user privilege 15 but control the user's access from Command Set. From what you described, your command set looks alright (you can share a screenshot if you like). Just give it Priv 15. The 'show run' command actually requires higher privilege than other show commands like show ver, show clock, etc.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

Anurag Sharma · ‎06-05-2020

Hi @farooqateeq123 ,

Give the user privilege 15 but control the user's access from Command Set. From what you described, your command set looks alright (you can share a screenshot if you like). Just give it Priv 15. The 'show run' command actually requires higher privilege than other show commands like show ver, show clock, etc.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.