Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1816
Views
0
Helpful
4
Replies

ISE 2.4 Command set not working

Go to solution
Firepowered
Level 1
Level 1

‎10-15-2019 05:47 AM

I want a simple command set, permit some commands (eg: show, dir, ping, traceroute ) but deny en or enable, intended that the user should never go to enable mode. My command set is as follows

 

deny.png

 

 

TACACS Profile

 

tacacs profile.png

PS: Doesn't matter what priv level I use here.

 

Configuration on the ASA

 

aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host x.x.x.x
aaa authentication ssh console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication serial console LOCAL
aaa authorization command TACACS LOCAL
aaa accounting ssh console TACACS
aaa authorization exec authentication-server
aaa authentication login-history

 

 

I read somewhere to enable 'aaa authorization config-commands' but I don't have that on my ASA (9.8)

 

What am I  doing wrong?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎10-15-2019 06:15 AM

In my opinion the concept of enable mode is a legacy concept that I haven't used in years with any of my customers.  If you have command authorization enabled via TACACS it doesn't matter what mode you are in, you are authorizing and accounting for everything that is typed in.  I have my customers send all users to the # prompt and then we authorize from there.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎10-15-2019 06:15 AM

In my opinion the concept of enable mode is a legacy concept that I haven't used in years with any of my customers.  If you have command authorization enabled via TACACS it doesn't matter what mode you are in, you are authorizing and accounting for everything that is typed in.  I have my customers send all users to the # prompt and then we authorize from there.

0 Helpful

Go to solution
Firepowered
Level 1
Level 1
In response to paul

‎10-15-2019 06:34 AM

Thank you, this is good.

 

I allowed priv users to enter exec mode on login and restricted commands, this works as expected. Do you know what the min / max priv level required for user to auto move to exec upon login? (1 didn't work, I moved to 5 and it worked, but that was random)

 

Btw, I am curious, why does the existing command set not work?

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Firepowered

‎10-15-2019 07:54 AM

Just send everyone to priv 15 (min and max) and do command authorization. On the ASA you need to add.



aaa authorization exec authentication-server auto-enable



You had the command but didn't have the auto-enable key word at the end.



That will allow users directly into the # prompt. I am not sure why your command set didn't work. Would have to do further analysis on that.


0 Helpful

Go to solution
Firepowered
Level 1
Level 1
In response to paul

‎10-15-2019 08:39 AM

Thanks.

 

I meant to ask why the initial config for denying 'enable' after login doesn't work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents