ise 2.4 command sets for nexus access

Meuserid1979 · ‎07-24-2018

Hi Experts,

i was trying to configure tacacs for nexus access using ise 2.4. on the command sets for readonly access i only allowed a few commands for testing but after logging in, i can also use the other commands although they were not set on the tacacs command sets. only show int status and exit was set but other command like show vlan can be excuted. i can even execute "conf t" . any guide on how to configure the command sets for nexus ?

tia,

chris

Alex Pfeil · ‎07-24-2018

Will this work for you? This will allow all show commands, but will not allow configuration commands. I have not tried limiting to specific commands.

Meuserid1979 · ‎07-24-2018

Hi Alex,

thanks for the reply. yes i tried this and applied for each authz as per my screenshot. there are difference when loggin in as "administrator" and "readonly" but seems like limiting the commands(for read only access) which is applied on the command set portion of the authz doesnt work? coz i still can execute lots of commands which should be filtered by command sets. not sure whether its a normal nexus behavior? thanks

chris

Alex Pfeil · ‎07-24-2018

Make sure that the correct authorization commands are enabled on the Nexus device and check out the PDF of the guide available here:

https://community.cisco.com/t5/security-documents/how-to-ise-tacacs-configuration-for-cisco-nx-os-network-devices/ta-p/3631609

Thanks,

Alex