Hi All,

I’m hoping you can help with an issue I have with TACACS Device Admin on ISE 2.1

In Device Administration > Device Admin Policy Sets , I’ve created a new policy which has:

• Status: enabled, conditions: device type – allow all device types
• An Authentication rule that checks users based on an external AD source – this works fine as indicated by the TACACS live log. Allow protocols: default device admin.
• An Authorization rule which again checks users based on an external AD group then applies the following elements with an ‘AND’ statement:
  1. Command set: permit – ping, show, traceroute commands with all arguments ( using * ). Permit ‘exit’.
     • I have not ticked the box ‘permit any command that is not listed below’, so I have not needed use a deny statement.
  2. TACACS profile: In common tasks, type ‘Shell’ only two options selected, a default and maximum priviledge both set to ‘1’.
• There are no global/local exception rules.

The TACACS live log shows that authentication passed with the intended authentication rule (checking through AD), it also shows the correct

Authorization rule being called upon (which also checks a user based on an AD group) however the only thing working from that is when a user

logs in the default priviledge is set to 1.

Commands are not restricted based on the command set and using the enable command the user can still go into priviledge level 15.

It seems somehow the Authorization rule (command set/profile) is not being utilized fully?

Essentially I just need the authorization rule to restrict the users within that specific AD group to have access to priviledge level 1, and only able to execute read only commands.

Regards

Shams