01-23-2022 03:37 AM
Hi,
We are integrating a solution for integrity check, which will SSH to the devices and run the "show running-config" or any command that displays the configuration. The ISE CLI user "read-only" does not have the privilege to run the "show running-config" command and we do not want to give the user full admin privilege. is it possible to give a CLI user privilege to run a specific command?
regards,
sohail
Solved! Go to Solution.
01-25-2022 02:00 AM
Hi,
The RO user cannot perform a “show run” command and changing the privilege level / command authorization to any user is not possible at the moment. The only workaround is to use an admin user.
Regards,
sohail
01-23-2022 03:47 AM
Look like with priv 1 or read-only users can not use the commands you looking to add.
instead you can uplift to priv 15 limit the user to certain commands and add show run config to it.
Example :
01-23-2022 04:12 AM
Hello Balaji,
It's not about device administration or TACACS. I am referring to ISE node itself. we need a user to access ISE via SSH and run "show running-config" only. The CLI user "user" does not have the privilege to run this command and we do not want to give this user "admin" privilege.
regards,
sohail
01-23-2022 05:47 AM
Hi @s.rashid ,
at ISE CLI you are able to:
ise/admin# configure terminal
ise/admin# username <username> password plain <password> role user
This user will be able to:
ise/username> ?
Exec commands:
crypto Crypto operations
exit Exit from the EXEC
license License operations
nslookup DNS lookup for an IP address or hostname
password Update password
ping Ping a remote ip address
ping6 Ping a remote ipv6 address
show Show running system information
terminal Set terminal line parameters
traceroute Trace the route to a remote ip address
and
ise/username> show ?
cdp CDP show commands
clock Show clock information
cpu Display CPU information
crypto Display crypto information
disks Display disk and filesystem information
icmp_status Display icmp echo response configuration information
interface Display interface info
inventory Display hardware inventory information
logins List login history
memory Display memory information
ntp Show NTP servers
ports Display all processes listening on open ports
process Display system processes
terminal Display terminal configuration parameters
timezone Show timezone
udi Show udi information
uptime Display system uptime
version Show version info
In other words, no "show run".
Hope this helps !!!
01-25-2022 02:00 AM
Hi,
The RO user cannot perform a “show run” command and changing the privilege level / command authorization to any user is not possible at the moment. The only workaround is to use an admin user.
Regards,
sohail
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide