Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6672
Views
0
Helpful
5
Replies

ISE 2.0- TACACS Read access

Anukalp S
Level 1
Level 1

‎06-01-2016 05:51 AM - edited ‎03-10-2019 11:49 PM

Hi.. I have setup TACACS on ISE and created two AD group (level_15 & level_7). level_15 users have full access and level_7 users should have only read(show) access.

I have given privilege 15 under shell policy for level_15 and created another shell profile which is given privilege 7 for users under group level_7 and set command sets "show"

Now level_15 group users are able to login successfully and have pri 15 access. But this is not working with leve_7 group users.

This group users are not able to execute show commands.

Below is config on IOS device.

======================================================================

aaa new-model

tacacs server ISE
 address ipv4 172.16.9.12
 key l@v@

aaa group server tacacs+ ISE_GROUP
 server name ISE


aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization config-commands


line vty 0 4
login authentication AAA
authorization exec AAA
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA

================================================================

Labels:
Preview file
16 KB
Preview file
19 KB
Preview file
31 KB
0 Helpful
5 Replies 5

Maximilian Usinger
Level 1
Level 1

‎06-03-2016 03:04 AM

Change the default privilege level from your shellprofile_read to 15.
To use i.e show commands, you need to be in enabled mode.
If the user has privilege level 15 as default, he is in enable mode directly after login, otherwise he would need to type "enable", what he is not allowed to do.


Users that are getting mapped to this shell profile can still only execute the commands you defined in your command set.

0 Helpful

Anukalp S
Level 1
Level 1
In response to Maximilian Usinger

‎06-06-2016 03:40 AM

Thanks Maximilian.. but when  I set default privilege 15 , user enter into enable mode but user are go into config mode as well which ideally should not be.

Preview file
38 KB
0 Helpful

Maximilian Usinger
Level 1
Level 1
In response to Anukalp S

‎06-06-2016 04:25 AM

Then try to add "Deny" "configure" "terminal" to the "PermitshowCommands"-Command set.
So the user shouldn't be able to enter config mode

0 Helpful

Anukalp S
Level 1
Level 1
In response to Maximilian Usinger

‎06-06-2016 06:18 AM

Hi Maximilian.. I tried with deny also but no luck, still going into config mode.

Preview file
41 KB
0 Helpful

Maximilian Usinger
Level 1
Level 1
In response to Anukalp S

‎06-12-2016 11:56 PM

Hi,

I just tested this with my installation.
You have to explicitly deny "configure" "terminal".

0 Helpful
Customers Also Viewed These Support Documents