03-05-2013 01:09 AM - edited 03-10-2019 08:09 PM
Hi,
I am doing the AAA with Cisco ISE. I want to assign the different commands set for different users.
I have two Identity Groups: Network_Admin & Network_Support with Priviliege level 15 & 1 respectively (Done through Authorization Profiles)
How can i set the permit commnds for each user type? E.g., Network_Support can do the Show or ping commands only....
Please advise....
Regards,
Mubasher Sultan
03-06-2013 01:39 AM
Any adivse please...
Thanks,
Regards,
Mubasher Sultan
03-06-2013 03:35 AM
You are looking for command authorization(either per user basis or group basis) is only done by Tacacs+ protocol. Unfortunately ISE does not support Tacacs+ as ISE support Radius, hence command authorization is not supported by ISE.
03-08-2013 04:10 AM
Hi Mubashir,
I believe there is way to pass the priviledge level attribute. In ISE create Authorization Profile as show with
Advanced atribute :
Cisco:cisco-av-pair= Shell:priv-lvl=5
See attached screenshot
call/refere this auth profile in Authorization Rule for Device access.
In Network Device (Switch) for which access need to be configured ... Allow some set of command for privilege level 5
It should work..
If not getting expected result
" Debug radius " on switch , see if ise is returrning Cisco AV pair= 5 after successful authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide