06-01-2016 05:51 AM - edited 03-10-2019 11:49 PM
Hi.. I have setup TACACS on ISE and created two AD group (level_15 & level_7). level_15 users have full access and level_7 users should have only read(show) access.
I have given privilege 15 under shell policy for level_15 and created another shell profile which is given privilege 7 for users under group level_7 and set command sets "show"
Now level_15 group users are able to login successfully and have pri 15 access. But this is not working with leve_7 group users.
This group users are not able to execute show commands.
Below is config on IOS device.
======================================================================
aaa new-model
tacacs server ISE
address ipv4 172.16.9.12
key l@v@
aaa group server tacacs+ ISE_GROUP
server name ISE
aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization config-commands
line vty 0 4
login authentication AAA
authorization exec AAA
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
================================================================
06-03-2016 03:04 AM
Change the default privilege level from your shellprofile_read to 15.
To use i.e show commands, you need to be in enabled mode.
If the user has privilege level 15 as default, he is in enable mode directly after login, otherwise he would need to type "enable", what he is not allowed to do.
Users that are getting mapped to this shell profile can still only execute the commands you defined in your command set.
06-06-2016 03:40 AM
06-06-2016 04:25 AM
Then try to add "Deny" "configure" "terminal" to the "PermitshowCommands"-Command set.
So the user shouldn't be able to enter config mode
06-06-2016 06:18 AM
06-12-2016 11:56 PM
Hi,
I just tested this with my installation.
You have to explicitly deny "configure" "terminal".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide