Hey.
I want to set allowed or denied commands on Juniper routers and switches while users are authenticated/authorized with Cisco ISE 3.1.
This is possible to define local "allow-commands" or "deny-commands" and use user classes locally on juniper devices, and return only the class of the user from ISE TACACS server to the device, so the device use that returned class info to map the client with the local class and allows and denies the commands as defined locally on juniper device. But, what I want is using ISE attributes to define and return the allow or denied commands to the Juniper devices, rather than configuring them locally on the Juniper devices. There is a link on Juniper website explaining the attributes needed to be defined on the TACACS+, but when I tried to use the syntaxes explained on the documents, ISE gave errors stating the values were not valid.
https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-tacacs-authentication.html
So, long story short, do you know how I can accomplish this task?
regards.