Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
8
Replies

TACACS command exception for device in ISE profile

Go to solution
rakesh nair
Level 1
Level 1

‎01-11-2023 12:11 PM

We are usinf Cisco ISE as TACACS server and i need to allow some commands to work on our read only profile .

Can you please let me know how can i give exception for command show cable-diagnostics tdr int Gi1/0/14 through ISE.

End user having read only access and cannot go to enable mode but need to check the outputs of this command.

Can anyone suggest

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-11-2023 12:38 PM

May be you need to elevate user to a higher priv level and restricts the commands and allow any additional command required for the user :

below example guide provide some steps and concept for your to try using test user.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
rakesh nair
Level 1
Level 1
In response to Karsten Iwen

‎01-12-2023 12:49 AM

Can you tell me how to perform these steps in ISE and switch

  • Use Priv15 in the RO-Shell-Profile
  • Use a Command set that only allows the needed commands
  • Add Level15 command authorization to the switch config

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-11-2023 12:38 PM

May be you need to elevate user to a higher priv level and restricts the commands and allow any additional command required for the user :

below example guide provide some steps and concept for your to try using test user.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-11-2023 12:47 PM

By default this is a Level15 command and I am not sure if we can change that. The following approach would work:

  • Use Priv15 in the RO-Shell-Profile
  • Use a Command set that only allows the needed commands
  • Add Level15 command authorization to the switch config

Perhaps someone suggests a different way to achieve this.

0 Helpful

Go to solution
rakesh nair
Level 1
Level 1
In response to Karsten Iwen

‎01-12-2023 12:49 AM

Can you tell me how to perform these steps in ISE and switch

  • Use Priv15 in the RO-Shell-Profile
  • Use a Command set that only allows the needed commands
  • Add Level15 command authorization to the switch config
0 Helpful

Go to solution
rakesh nair
Level 1
Level 1

‎01-12-2023 01:41 AM

I think creating a new shell profile with privilege 15 may help, right 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to rakesh nair

‎01-12-2023 03:18 AM

yes that what we suggested before....test with new user ..rather mess up with exiting users.

if that works you can replicate for other user if needed more users same requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to rakesh nair

‎01-12-2023 03:22 AM

please update us last status 

0 Helpful

Go to solution
rakesh nair
Level 1
Level 1
In response to MHM Cisco World

‎01-12-2023 04:24 AM

I have created another user and gave him priv 15 shell profile with conf terminal deny and it worked

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to rakesh nair

‎01-12-2023 06:02 AM

Good stuf...thank you for the feedback and marked as solution...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents