Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
5
Helpful
4
Replies

Looking for example authorization command sets for mid-privilege users

CommKeeper
Level 1
Level 1

‎02-23-2020 05:25 AM - edited ‎02-23-2020 05:26 AM

We recently started moving our devices back to TACACS authentication from RADIUS. We had this on ACS, but when we migrated to ISE it only supported RADIUS at the time. Now that we can do authorization sets again, I am curious as to what command sets you consider safe for Contractors or Junior Admins. I know this can vary by platform, but just looking for some ideas as we look to lock down these users command sets.

Labels:
0 Helpful
4 Replies 4

Sheraz.Salim
VIP Alumni
VIP Alumni

‎02-23-2020 05:34 AM

There are plenty of resource on cisco website here 

please do not forget to rate.
0 Helpful

CommKeeper
Level 1
Level 1
In response to Sheraz.Salim

‎02-23-2020 05:48 AM

Thanks for sharing this link. I do understand how to set this up, but I'm just looking for some command sets others have used for roles such as these. I did not see that type of examples in the document link outside of 'show'.

 

Example:

Junior Admin

Permitted

#show

(config)# hostname

(config-if)# switchport

(config-if)# authentication

(config-if)# dot1x

(config-if)# service-policy

Denied

(config)# ip route

(config)# interface vlan

(config)# aaa

 

...etc.etc..

 

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to CommKeeper

‎02-23-2020 05:54 AM

check this page it has all the required information might be helpful for you here 

please do not forget to rate.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to CommKeeper

‎02-23-2020 02:18 PM

TACACS+ Command Sets should be based on specific business requirements, so they are rarely "one size fits all"

 

You can find some examples in the following video, but you'll need to use the same methodology to develop your required Command Sets. You would typically want to test these extensively in a non-Prod environment as well before deploying into Production.

ISE 2.0: TACACS+ Command Authorization 

Customers Also Viewed These Support Documents