02-17-2021 04:20 PM
Hello, guys
Right now I'm trying to permit specific commands in a catalyst sw by configuring a Tacacs Commands Set on ISE. Everything is good when a users logs in and try to type any command in exec mode because I can see only the commands I configured in the command set are being permitted. The thing is that when a user goes to configuration mode (conf t is permitted too in tacacs commands set), she can type any command in configuration mode and not only the commands I defined in the command set. For instance, I didn't permit the vlan comand in the command set, but even that a user can type and use it. I read that I needed the command "aaa authorization config-commands" but even after applying this command, the behaviour still is the same. I don't know if I have to do any other thing, so I writing here looking for help. Thank you in advance.
Solved! Go to Solution.
02-17-2021 04:50 PM
i would revisit the config for the user and check each step, is there any higher level option given to the user :
check below guide example : (if the user got a different access level you can find in ISE Logs see what permission and what rule set or policy matching)
02-18-2021 12:50 AM
Sounds like it could be an authorization configuration issue, have you configured authorization commands on the switch as per the Device Administration prescriptive guide?
Please provide the aaa configuration of your devices.
02-17-2021 04:50 PM
i would revisit the config for the user and check each step, is there any higher level option given to the user :
check below guide example : (if the user got a different access level you can find in ISE Logs see what permission and what rule set or policy matching)
02-18-2021 12:50 AM
Sounds like it could be an authorization configuration issue, have you configured authorization commands on the switch as per the Device Administration prescriptive guide?
Please provide the aaa configuration of your devices.
02-22-2021 08:11 AM
@Rob Ingram @balaji.bandi thank you so much for your helpk, guys. I deleted and reconfigured everything again and It worked, but this time I didn't use the default aaa list and instead of that I created different lists for authentication, authorization and accounting and applied them to the vty lines. I thought that when configuring the "aaa authorization config-commands" command and typing the tab key the command didn't complete itself but I realized IOS leaves the command to autcomplete itself and when trying to execute it, it shows the "command authorization failed" message. Thank you again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide