cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1522
Views
0
Helpful
3
Replies

ISE TACACS Questions

fatalXerror
Level 5
Level 5

Hi Guys,

I am deploying a device admin in ISE and the plan is to have rules per privilege level (e.g. 1 - 15). I am having some concerns/issues for the privilege 1 to 14.

 

For example for privilege 1, I configured Shell Profile with default privilege of 1 and I configured a Command Set that only allows "show" commands. However when I am testing it, the prompt always goes to this ">" in which I still need to do "enable" command and the confusing thing is, the enable secret that I configured in the user is not working. 

 

Is there's a way in device admin to set my Shell Profile to privilege 1 and set my preferred Command Set but when I login, it goes directly to this prompt "#" and only commands configured in the Command Set are allowed for this privilege 1 user?

 

Thanks.

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

ISE - TACACS with device access with show command works in different way, if you looking to offer more show command required some elivated access not with priv 1 works as expected. you can give more access of priv level and control with commands so user can only able to excute that commands in the boundary of shell profiles

 

here is some reference :

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-device-admin-policy-sets?utm_campaign=ISE&utm_content=Guide&utm_source=Cisco.com-Open&utm_medium=ISE-Page-Device-Admin&pfhide=true

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi @balaji.bandi , thanks for the feedback. Is this means that by ISE device admin design if we want to control the authorized commands, the Shell Profile should be always level 15?

Thanks

Not necessary - but priv 1 have limitation - i mean you should have high level elivastion to get more options.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help