Re: Shell Authorization with Cisco ISE

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec) · ‎03-05-2013

Hi,

I am doing the AAA with Cisco ISE. I want to assign the different commands set for different users.

I have two Identity Groups: Network_Admin & Network_Support with Priviliege level 15 & 1 respectively (Done through Authorization Profiles)

How can i set the permit commnds for each user type? E.g., Network_Support can do the Show or ping commands only....

Please advise....

Regards,

Mubasher Sultan

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec) · ‎03-06-2013

Any adivse please...

Thanks,

Regards,

Mubasher Sultan

vikasyad · ‎03-06-2013

You are looking for command authorization(either per user basis or group basis) is only done by Tacacs+ protocol. Unfortunately ISE does not support Tacacs+ as ISE support Radius, hence command authorization is not supported by ISE.

Parag Mahajan · ‎03-08-2013

Hi Mubashir,

I believe there is way to pass the priviledge level attribute. In ISE create Authorization Profile as show with

Advanced atribute :

Cisco:cisco-av-pair= Shell:priv-lvl=5

See attached screenshot

call/refere this auth profile in Authorization Rule for Device access.

In Network Device (Switch) for which access need to be configured ... Allow some set of command for privilege level 5

It should work..

If not getting expected result

" Debug radius " on switch , see if ise is returrning Cisco AV pair= 5 after successful authentication.