Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

500
Views
5
Helpful
4
Replies
Highlighted
CommKeeper
Beginner
Beginner
‎02-23-2020 05:25 AM
‎02-23-2020 05:25 AM

Looking for example authorization command sets for mid-privilege users

We recently started moving our devices back to TACACS authentication from RADIUS. We had this on ACS, but when we migrated to ISE it only supported RADIUS at the time. Now that we can do authorization sets again, I am curious as to what command sets you consider safe for Contractors or Junior Admins. I know this can vary by platform, but just looking for some ideas as we look to lock down these users command sets.

Labels:
0 Helpful
Reply
4 REPLIES 4
Highlighted
Sheraz.Salim
VIP Advocate VIP Advocate
VIP Advocate
‎02-23-2020 05:34 AM
‎02-23-2020 05:34 AM

There are plenty of resource on cisco website here 

please do not forget to rate.
0 Helpful
Reply
Highlighted
CommKeeper
Beginner
Beginner
In response to Sheraz.Salim
‎02-23-2020 05:48 AM
‎02-23-2020 05:48 AM

Thanks for sharing this link. I do understand how to set this up, but I'm just looking for some command sets others have used for roles such as these. I did not see that type of examples in the document link outside of 'show'.

 

Example:

Junior Admin

Permitted

#show

(config)# hostname

(config-if)# switchport

(config-if)# authentication

(config-if)# dot1x

(config-if)# service-policy

Denied

(config)# ip route

(config)# interface vlan

(config)# aaa

 

...etc.etc..

 

0 Helpful
Reply
Highlighted
Sheraz.Salim
VIP Advocate VIP Advocate
VIP Advocate
In response to CommKeeper
‎02-23-2020 05:54 AM
‎02-23-2020 05:54 AM

check this page it has all the required information might be helpful for you here 

please do not forget to rate.
0 Helpful
Reply
Highlighted
Greg Gibbs
Cisco Employee
Cisco Employee
In response to CommKeeper
‎02-23-2020 02:18 PM
‎02-23-2020 02:18 PM

TACACS+ Command Sets should be based on specific business requirements, so they are rarely "one size fits all"

 

You can find some examples in the following video, but you'll need to use the same methodology to develop your required Command Sets. You would typically want to test these extensively in a non-Prod environment as well before deploying into Production.

ISE 2.0: TACACS+ Command Authorization 

Reply
Latest Contents
Dynamic manipulation of RCPT-TO in Cisco Ironport
Created by itservice-es on 02-24-2021 11:12 PM
0
0
0
0
Hello,ich have a problem with manipulating the Receipt of an email. I receive Mails for userA@domainA.com and want to "forward" it to userA@domainB.com. domainB is not in our service. I use the Add/Edit Header Function: edit-header-text("To... view more
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
214
11
214
    ISE Node Terminology PAN MNT PSN PXG Policy Administration Node Monitoring & Troubleshooting Node Policy Services Node Platform Exchange Grid Node The single plane of glass for ISE administration and configuration operatio... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Cisco Secure Endpoint Free Trial Guide
Created by E.L. Howard on 02-15-2021 07:36 PM
0
0
0
0
  About this Document Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par... view more
Content for Community-Ad