Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1687
Views
35
Helpful
4
Replies

TACACS Command Authz on Cisco Small Business Switches: SG350 & SG500?

Go to solution
mattw
Level 1
Level 1

‎01-20-2022 02:24 AM

Hi all,

Does anyone know if it's possible to get command authorzation working with Cisco Small Business Switches (SG350 & SG500)?

It works fine with Catalyst switches using command sets in ISE and config like the below on the switches:

aaa authorization commands 15 VTY_authorization group ISE_TACACS none

However, on the SG switches, there is no option for "aaa authorization".

I know I can use TACACS profiles to allow admins to have level 15 access and read-only users to only have level 1 access but I was hoping individual command authorization might work on these.

I suspect the answer is that it can't be done but does anyone know for absolutely sure?

Many thanks in advance,

Matt.

1 Accepted Solution

Accepted Solutions

Go to solution
mattw
Level 1
Level 1
In response to balaji.bandi

‎01-20-2022 11:40 AM

Thanks again @balaji.bandi. I too read the guide but it's not 100% clear.

I'm with you in that I believe this is a limitation of a Cisco small business switch rather than a full Enterprise level switch.

Cheers,

Matt.

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2022 03:05 AM

You need to give access to Priv 15 and Limit the user to what command can only Authorised to use on that device.

 

This need to be done on Radius/TACACS side (in your case ISE)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
mattw
Level 1
Level 1
In response to balaji.bandi

‎01-20-2022 03:12 AM

Thank you for your response Balaji.

I am able to do this on a Catalyst switch with no issues at all.

The problem here is that the NADs are small business 'SG' switches which don't seem to support command authorization.

Do you know for sure that they do? Do you have a link or any sample config?

Thank you,

Matt.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mattw

‎01-20-2022 03:48 AM

Unfortunatly i do not any SMB Switches to test, i go with documentaion here : ( may be that is limitation enterprise vs SMB switches).

 

as per the admin guide check  : check page 332

 

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
mattw
Level 1
Level 1
In response to balaji.bandi

‎01-20-2022 11:40 AM

Thanks again @balaji.bandi. I too read the guide but it's not 100% clear.

I'm with you in that I believe this is a limitation of a Cisco small business switch rather than a full Enterprise level switch.

Cheers,

Matt.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents