cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2471
Views
4
Helpful
3
Replies

Shell Authorization with Cisco ISE

Hi,

I am doing the AAA with Cisco ISE. I want to assign the different commands set for different users.

I have two Identity Groups: Network_Admin & Network_Support with Priviliege level 15 & 1 respectively (Done through Authorization Profiles)

How can i set the permit commnds for each user type? E.g., Network_Support can do the Show or ping commands only....

Please advise....

Regards,

Mubasher Sultan

3 REPLIES 3

Any adivse please...

Thanks,

Regards,

Mubasher Sultan

vikasyad
Beginner

You are looking for command authorization(either per user basis or group basis) is only done by Tacacs+ protocol. Unfortunately ISE does not support Tacacs+ as ISE support Radius, hence command authorization is not supported by ISE.

Parag Mahajan
Cisco Employee

Hi Mubashir,

I believe there is way to pass the priviledge level attribute. In ISE create Authorization Profile as show with

Advanced atribute :

Cisco:cisco-av-pair=  Shell:priv-lvl=5

See attached screenshot

call/refere this auth profile in Authorization Rule for Device access.

In Network Device (Switch) for which access need to be configured ... Allow some set of command for privilege level 5

It should work..

If not getting expected result

" Debug radius "  on switch , see if ise is returrning Cisco AV pair=  5 after successful authentication.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube