Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3385
Views
10
Helpful
4
Replies

ISE CLI Read-Only user

Go to solution
s.rashid
Level 1
Level 1

‎01-23-2022 03:37 AM

Hi,

We are integrating a solution for integrity check, which will SSH to the devices and run the "show running-config" or any command that displays the configuration. The ISE CLI user "read-only" does not have the privilege to run the "show running-config" command and we do not want to give the user full admin privilege. is it possible to give a CLI user privilege to run a specific command? 

 

regards,

sohail

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
s.rashid
Level 1
Level 1

‎01-25-2022 02:00 AM

Hi,

 

The RO user cannot perform a “show run” command and changing the privilege level / command authorization to any user is not possible at the moment. The only workaround is to use an admin user.

 

Regards,

sohail

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-23-2022 03:47 AM

Look like with priv 1 or read-only users can not use the commands you looking to add.

 

instead you can uplift to priv 15 limit the user to certain commands and add show run config to it.

 

Example :

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
s.rashid
Level 1
Level 1
In response to balaji.bandi

‎01-23-2022 04:12 AM

Hello Balaji,

 

It's not about device administration or TACACS. I am referring to ISE node itself. we need a user to access ISE via SSH and run "show running-config" only. The CLI user "user" does not have the privilege to run this command and we do not want to give this user "admin" privilege.

 

regards,

sohail

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to s.rashid

‎01-23-2022 05:47 AM

Hi @s.rashid ,

 at ISE CLI you are able to:

ise/admin# configure terminal
ise/admin# username <username> password plain <password> role user

This user will be able to:

ise/username> ?
Exec commands:
crypto Crypto operations
exit Exit from the EXEC
license License operations
nslookup DNS lookup for an IP address or hostname
password Update password
ping Ping a remote ip address
ping6 Ping a remote ipv6 address
show Show running system information
terminal Set terminal line parameters
traceroute Trace the route to a remote ip address

and 

ise/username> show ?
cdp CDP show commands
clock Show clock information
cpu Display CPU information
crypto Display crypto information
disks Display disk and filesystem information
icmp_status Display icmp echo response configuration information
interface Display interface info
inventory Display hardware inventory information
logins List login history
memory Display memory information
ntp Show NTP servers
ports Display all processes listening on open ports
process Display system processes
terminal Display terminal configuration parameters
timezone Show timezone
udi Show udi information
uptime Display system uptime
version Show version info

In other words, no "show run".

 

Hope this helps !!!

Go to solution
s.rashid
Level 1
Level 1

‎01-25-2022 02:00 AM

Hi,

 

The RO user cannot perform a “show run” command and changing the privilege level / command authorization to any user is not possible at the moment. The only workaround is to use an admin user.

 

Regards,

sohail

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents