Solved: ISE 2.4 : Tacacs command sets not working as expected

gillessapene · ‎07-12-2019

I would like to create a command set to authorize anything but some commands to avoid people to change some device configuration details:

- hostname: I don't want people to change the hostname

I have created a command set which is applied using a device admin policy set. Unfortunately, I still can change the hostname. It is like if the fact to permit the "conf t" command allows all the sub commands like "hostname".

I never find the 'hostname' command in the ise logs/reports.

Any clue ?

Surendra · ‎07-12-2019

Use the command “aaa authorization config-commands”

View solution in original post

gillessapene · ‎07-12-2019

Here are the aaa authorization commands that are used:

aaa authorization exec default group xxx local
aaa authorization commands 0 default group xxx none
aaa authorization commands 1 default group xxx none
aaa authorization commands 15 default group xxx none

View solution in original post

Surendra · ‎07-12-2019

Use the command “aaa authorization config-commands”

gillessapene · ‎07-12-2019

Here are the aaa authorization commands that are used:

aaa authorization exec default group xxx local
aaa authorization commands 0 default group xxx none
aaa authorization commands 1 default group xxx none
aaa authorization commands 15 default group xxx none

gillessapene · ‎07-12-2019

I misread your answer.

I have just added the command : aaa authorization config-commands

and now it works as expected.

I am going to do more tests as I need to reject some other cli commands :)

Thanks alot