Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6521
Views
5
Helpful
3
Replies

ISE/Radius & Network Device Read Only

Go to solution
jhaddix385
Level 1
Level 1

‎03-15-2019 09:38 AM - edited ‎02-21-2020 11:03 AM

We use our ISE server as a Radius/TACACS for our network devices.  Does ISE (if so how) could you configure users on ISE to only have read-only (show commands) on network devices registered to ISE

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎03-15-2019 12:25 PM

You have to use TACACS to do this efficiently.  You would configure the device for TACACS command authorization (in addition to authentication and accounting).

 

aaa authorization commands 15 default group ISE-TACACS if-authenticated

 

There is not need to authorize anything but level 15 commands.  You should account for level 0, 1 and 15 though in the accounting setup:

aaa accounting commands 0 default stop-only group ISE-TACACS

aaa accounting commands 1 default stop-only group ISE-TACACS

aaa accounting commands 15 default stop-only group ISE-TACACS

 

Depending on your switch the TACACS syntax will be different.  Once you have command authorization enabled you would configure a command set in ISE that allows "show" command.  All other level 15 commands will be denied.  Tie that to your desired TACACS rule for the group of users you want to have read-only access.  Setup a TACACS profile that assigned priv level 15 and max priv level 15 to the users as well.

 

 

 

 

 

View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎03-15-2019 12:25 PM

You have to use TACACS to do this efficiently.  You would configure the device for TACACS command authorization (in addition to authentication and accounting).

 

aaa authorization commands 15 default group ISE-TACACS if-authenticated

 

There is not need to authorize anything but level 15 commands.  You should account for level 0, 1 and 15 though in the accounting setup:

aaa accounting commands 0 default stop-only group ISE-TACACS

aaa accounting commands 1 default stop-only group ISE-TACACS

aaa accounting commands 15 default stop-only group ISE-TACACS

 

Depending on your switch the TACACS syntax will be different.  Once you have command authorization enabled you would configure a command set in ISE that allows "show" command.  All other level 15 commands will be denied.  Tie that to your desired TACACS rule for the group of users you want to have read-only access.  Setup a TACACS profile that assigned priv level 15 and max priv level 15 to the users as well.

 

 

 

 

 

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to paul

‎06-27-2019 12:46 PM

Is there a way to do this with radius?  I don't have tacacs licenses on ISE.

0 Helpful
Customers Also Viewed These Support Documents