cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
823
Views
0
Helpful
8
Replies

TACACS command exception for device in ISE profile

rakesh nair
Level 1
Level 1

We are usinf Cisco ISE as TACACS server and i need to allow some commands to work on our read only profile .

Can you please let me know how can i give exception for command show cable-diagnostics tdr int Gi1/0/14 through ISE.

End user having read only access and cannot go to enable mode but need to check the outputs of this command.

Can anyone suggest

 

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

May be you need to elevate user to a higher priv level and restricts the commands and allow any additional command required for the user :

below example guide provide some steps and concept for your to try using test user.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Can you tell me how to perform these steps in ISE and switch

  • Use Priv15 in the RO-Shell-Profile
  • Use a Command set that only allows the needed commands
  • Add Level15 command authorization to the switch config

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

May be you need to elevate user to a higher priv level and restricts the commands and allow any additional command required for the user :

below example guide provide some steps and concept for your to try using test user.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

By default this is a Level15 command and I am not sure if we can change that. The following approach would work:

  • Use Priv15 in the RO-Shell-Profile
  • Use a Command set that only allows the needed commands
  • Add Level15 command authorization to the switch config

Perhaps someone suggests a different way to achieve this.

Can you tell me how to perform these steps in ISE and switch

  • Use Priv15 in the RO-Shell-Profile
  • Use a Command set that only allows the needed commands
  • Add Level15 command authorization to the switch config

rakesh nair
Level 1
Level 1

I think creating a new shell profile with privilege 15 may help, right 

yes that what we suggested before....test with new user ..rather mess up with exiting users.

if that works you can replicate for other user if needed more users same requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

please update us last status 

I have created another user and gave him priv 15 shell profile with conf terminal deny and it worked

Good stuf...thank you for the feedback and marked as solution...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help