Solved: Permit specific commands with Tacacs Commands Set and Cisco IOS

drivera_ · ‎02-17-2021

Hello, guys

Right now I'm trying to permit specific commands in a catalyst sw by configuring a Tacacs Commands Set on ISE. Everything is good when a users logs in and try to type any command in exec mode because I can see only the commands I configured in the command set are being permitted. The thing is that when a user goes to configuration mode (conf t is permitted too in tacacs commands set), she can type any command in configuration mode and not only the commands I defined in the command set. For instance, I didn't permit the vlan comand in the command set, but even that a user can type and use it. I read that I needed the command "aaa authorization config-commands" but even after applying this command, the behaviour still is the same. I don't know if I have to do any other thing, so I writing here looking for help. Thank you in advance.

balaji.bandi · ‎02-17-2021

i would revisit the config for the user and check each step, is there any higher level option given to the user :

check below guide example : (if the user got a different access level you can find in ISE Logs see what permission and what rule set or policy matching)

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc12

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram · ‎02-18-2021

@drivera_

Sounds like it could be an authorization configuration issue, have you configured authorization commands on the switch as per the Device Administration prescriptive guide?

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId-759088769

Please provide the aaa configuration of your devices.

View solution in original post

balaji.bandi · ‎02-17-2021

i would revisit the config for the user and check each step, is there any higher level option given to the user :

check below guide example : (if the user got a different access level you can find in ISE Logs see what permission and what rule set or policy matching)

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc12

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎02-18-2021

@drivera_

Sounds like it could be an authorization configuration issue, have you configured authorization commands on the switch as per the Device Administration prescriptive guide?

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId-759088769

Please provide the aaa configuration of your devices.

drivera_ · ‎02-22-2021

@Rob Ingram @balaji.bandi thank you so much for your helpk, guys. I deleted and reconfigured everything again and It worked, but this time I didn't use the default aaa list and instead of that I created different lists for authentication, authorization and accounting and applied them to the vty lines. I thought that when configuring the "aaa authorization config-commands" command and typing the tab key the command didn't complete itself but I realized IOS leaves the command to autcomplete itself and when trying to execute it, it shows the "command authorization failed" message. Thank you again.