- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2020 06:57 AM
Hi,
I'd really like to know what the ISE tacacs+ command set is for all interface-specific subcommands.
" Permit interface* " gets me into the interface configuration mode, but nothing within that mode. Is there a one-line command set that will include all subcommands within the interface mode? (wildcard "*" in the argument box didn't work).
Thanks
Solved! Go to Solution.
- Labels:
-
AAA
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2020 07:09 AM
Every command is treated on its own merits regardless of where you are in the configuration. ISE has no awarness of the fact that you are at the interface section. If you allow the user to go to the interface section then you need to allow the user to issue commands:
shutdown
switchport access vlan
no shutdown
etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2020 07:05 AM
Grant = PERMIT; Command = Interface; Arguments = all;
Try that and test accordingly. Lastly, see section 'TACACS+ Command Sets' here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2020 07:06 AM
what kind of user rights ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2020 07:09 AM
Every command is treated on its own merits regardless of where you are in the configuration. ISE has no awarness of the fact that you are at the interface section. If you allow the user to go to the interface section then you need to allow the user to issue commands:
shutdown
switchport access vlan
no shutdown
etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2020 02:45 PM
Thank you, it appears that you were correct - all commands within a command group that you want some control over need to be individually defined.
