Cisco Community
English
Register
Cisco Community will be in maintenance mode followed by read only July 8 at 8 pm ET until Tuesday, July 12 at 8 pm ET. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

828
Views
5
Helpful
4
Replies
CommKeeper
Beginner
Beginner
‎02-23-2020 05:25 AM
‎02-23-2020 05:25 AM

Looking for example authorization command sets for mid-privilege users

We recently started moving our devices back to TACACS authentication from RADIUS. We had this on ACS, but when we migrated to ISE it only supported RADIUS at the time. Now that we can do authorization sets again, I am curious as to what command sets you consider safe for Contractors or Junior Admins. I know this can vary by platform, but just looking for some ideas as we look to lock down these users command sets.

Labels:
0 Helpful
4 REPLIES 4
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
‎02-23-2020 05:34 AM
‎02-23-2020 05:34 AM

There are plenty of resource on cisco website here 

please do not forget to rate.
0 Helpful
CommKeeper
Beginner
Beginner
In response to Sheraz.Salim
‎02-23-2020 05:48 AM
‎02-23-2020 05:48 AM

Thanks for sharing this link. I do understand how to set this up, but I'm just looking for some command sets others have used for roles such as these. I did not see that type of examples in the document link outside of 'show'.

 

Example:

Junior Admin

Permitted

#show

(config)# hostname

(config-if)# switchport

(config-if)# authentication

(config-if)# dot1x

(config-if)# service-policy

Denied

(config)# ip route

(config)# interface vlan

(config)# aaa

 

...etc.etc..

 

0 Helpful
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to CommKeeper
‎02-23-2020 05:54 AM
‎02-23-2020 05:54 AM

check this page it has all the required information might be helpful for you here 

please do not forget to rate.
0 Helpful
Greg Gibbs
Cisco Employee
Cisco Employee
In response to CommKeeper
‎02-23-2020 02:18 PM
‎02-23-2020 02:18 PM

TACACS+ Command Sets should be based on specific business requirements, so they are rarely "one size fits all"

 

You can find some examples in the following video, but you'll need to use the same methodology to develop your required Command Sets. You would typically want to test these extensively in a non-Prod environment as well before deploying into Production.

ISE 2.0: TACACS+ Command Authorization 

Latest Contents
NAT Traversal NAT-T in IPSEC VPN Explained With Wireshark
Created by Meddane on 07-06-2022 09:40 PM
0
0
0
0
NAT Traversal is one of the most passionate topics in VPN IPsec technology.Through this document, we gonna inside the ESP packet using wireshark to understand NAT-T or NAT Traversal operation.  
Cisco Umbrella Intelligent Proxy and SSL Decryption implemen...
Created by Meddane on 07-06-2022 09:36 PM
0
0
0
0
Cisco Umbrella is one of the most interesting cisco security solutions. Basically, Umbrella is a cloud based solution and a big DNS Services It all starts with DNS and Precedes file execution and IP connection. Which means that Umbrella blocks malicious ... view more
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
[SURVEY CLOSED] 🧦💚 Tell us about your ZTNA journey!
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube