ISE: How to disable TACACS Command Authorization for Admin users only?

BenLora79498 · ‎11-15-2021

Hello everyone,

I would like to use TACACS command authorization to allow our help desk personal to run specific show commands so that they are better able to support the network without having to always contact the network team with basic inquiries.

Currently, I have TACACS command authorization working for the help desk team and the network admin team. The Help Desk team is only allowed to run a few show commands while the network admin team is able to run any command.

Now the issue is that when we run scripts or input a large configuration into the switches using the network admin group the scripts take away too long to finish.

So basically I want to disable TACACS command authorization for only the network admin group, while still keeping it enable for the help desk group. When you think about it the network admin group is allowed to run all commands, so having TACACS command authorization enabled for this group does not provide any additional value.

NOTE: I would still want to keep accounting working for all commands input into the switches.

Is there any way to get this done?

Thank you in advance for your assistance.

Arne Bier · ‎11-23-2021

Hello @BenLora79498

Does your IOS config contain a aaa authorization for specific "Enable levels"?

Device(config)#aaa authorization commands 1 default group MyTacacsGroup local
Device(config)#aaa authorization commands 15 default group MyTacacsGroup local

If so, then you should be able to switch off the aaa authorization by replacing the PrivLevel 15 admins with this

Device(config)#aaa authorization commands 15 default if-authenticated

My examples use the "default" method list so beware if you're using more specific method lists (check your vty section)