03-15-2019 09:38 AM - edited 02-21-2020 11:03 AM
We use our ISE server as a Radius/TACACS for our network devices. Does ISE (if so how) could you configure users on ISE to only have read-only (show commands) on network devices registered to ISE
Solved! Go to Solution.
03-15-2019 12:25 PM
You have to use TACACS to do this efficiently. You would configure the device for TACACS command authorization (in addition to authentication and accounting).
aaa authorization commands 15 default group ISE-TACACS if-authenticated
There is not need to authorize anything but level 15 commands. You should account for level 0, 1 and 15 though in the accounting setup:
aaa accounting commands 0 default stop-only group ISE-TACACS
aaa accounting commands 1 default stop-only group ISE-TACACS
aaa accounting commands 15 default stop-only group ISE-TACACS
Depending on your switch the TACACS syntax will be different. Once you have command authorization enabled you would configure a command set in ISE that allows "show" command. All other level 15 commands will be denied. Tie that to your desired TACACS rule for the group of users you want to have read-only access. Setup a TACACS profile that assigned priv level 15 and max priv level 15 to the users as well.
03-15-2019 12:25 PM
You have to use TACACS to do this efficiently. You would configure the device for TACACS command authorization (in addition to authentication and accounting).
aaa authorization commands 15 default group ISE-TACACS if-authenticated
There is not need to authorize anything but level 15 commands. You should account for level 0, 1 and 15 though in the accounting setup:
aaa accounting commands 0 default stop-only group ISE-TACACS
aaa accounting commands 1 default stop-only group ISE-TACACS
aaa accounting commands 15 default stop-only group ISE-TACACS
Depending on your switch the TACACS syntax will be different. Once you have command authorization enabled you would configure a command set in ISE that allows "show" command. All other level 15 commands will be denied. Tie that to your desired TACACS rule for the group of users you want to have read-only access. Setup a TACACS profile that assigned priv level 15 and max priv level 15 to the users as well.
06-27-2019 12:46 PM
Is there a way to do this with radius? I don't have tacacs licenses on ISE.
06-27-2019 01:24 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide