cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2335
Views
10
Helpful
4
Replies
Highlighted
Beginner

TACACS command set issue on ISE 2.3

I'm having trouble getting some basic commands working using TACACS+ ISE and a custom privilege level 7.

 

The commands I basically want to do is:

config t, 

interface g1/0/1

switchport access vlan xxxx

switchport host

spanning-tree xxxxx

shut

no shut

However, i can get into interface configuration and it will take switchport but no further arguments.

Any ideas? My tacacs command set is as follows:

Permit    Command           Argument

permit     config t*

permit     interface                GigabitEthernet*

permit     interface               TenGigabitEthernet*

permit    switchport              access mode

permit    switchport              access vlan

permit    switchport              access vlan [1-4094]

permit    shut

permit    no                          shut

permit    end

permit    exit

permit   logout

 

I've tried traditional wildcards and regex expressions but i'm missing some key information here somewhere. 

 

The TACACS Profile sets the default priv to 7 and the maximu priv to 7

Switch config is as follows:

 

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 7 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

 

Any Ideas?

4 REPLIES 4
Highlighted
Beginner

Some further reading:

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html

 

It appears by adding the following to the switch the commands defined in the Tacacs Command set now work.

 

privilege interface level 7 spanning-tree portfast
privilege interface level 7 spanning-tree
privilege interface level 7 shutdown
privilege interface level 7 switchport
privilege interface level 7 no spanning-tree portfast
privilege interface level 7 no spanning-tree
privilege interface level 7 no shutdown
privilege interface level 7 no switchport
privilege interface level 7 no
privilege configure level 7 interface
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show startup-config
privilege exec level 7 show running-config
privilege exec level 7 show configuration
privilege exec level 7 show

 

Can anyone tell me if my understanding is correct? I was under the impression that Setting the commands in the TACACS command set negated the need for these commands on the switch, or is that just for the default privilege levels 0,1,15?

 

 

 

Highlighted

Did you ever discover the answer? I am running into the same thing right now, where I thought putting the commands in the command set would remove the need for setting command privilege levels on the switch.

Highlighted

Hi what I found was the only solutions are to create a privilege level on the switches say 7.. Only 15 1 and zero exist by default from what I have read. Grant this new privilege the commands you want on the switch itself. Then the tacacs command set works. Or Grant the user privacy 15 and restrict the commands via she tacacs command set. So user has privilege 15 but limited commands.
Highlighted

Hi there. You are absolutely correct. By default, you have Privilege Levels 0,1 and 15 with commands assigned to those particular levels (see below). When a user is assigned to a privilege level, he/she will be able to run commands at or below that privilege level:

  • privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

  • privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.

  • privilege level 15 — Includes all enable-level commands at the router# prompt.

In your example, by default, there are no commands that are assigned to privilege level 7. As a result, the users assigned to it will only be able to run commands that are assigned to Privilege Level 1 and 0. Thus, you have to move commands from Privilege Level 15 to Privilege level 7 (or below) in order for users assigned to Privilege Level 7 to be able to run them. For more information, you can check the following link:
https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

 

If you want to make things easier, you can simply utilize Privilege Level 15 and then limit the commands that those users can execute through the command sets. That way, even though a user is Privilege Level 15, he/she can only run the commands that you have explicitly permitted through AAA.

 

I hope this helps!

 

Thank you for rating helpful posts!