04-04-2018 06:31 AM - edited 02-21-2020 10:52 AM
I'm having trouble getting some basic commands working using TACACS+ ISE and a custom privilege level 7.
The commands I basically want to do is:
config t,
interface g1/0/1
switchport access vlan xxxx
switchport host
spanning-tree xxxxx
shut
no shut
However, i can get into interface configuration and it will take switchport but no further arguments.
Any ideas? My tacacs command set is as follows:
Permit Command Argument
permit config t*
permit interface GigabitEthernet*
permit interface TenGigabitEthernet*
permit switchport access mode
permit switchport access vlan
permit switchport access vlan [1-4094]
permit shut
permit no shut
permit end
permit exit
permit logout
I've tried traditional wildcards and regex expressions but i'm missing some key information here somewhere.
The TACACS Profile sets the default priv to 7 and the maximu priv to 7
Switch config is as follows:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 7 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Any Ideas?
04-04-2018 07:34 AM - edited 04-05-2018 12:28 AM
Some further reading:
It appears by adding the following to the switch the commands defined in the Tacacs Command set now work.
privilege interface level 7 spanning-tree portfast
privilege interface level 7 spanning-tree
privilege interface level 7 shutdown
privilege interface level 7 switchport
privilege interface level 7 no spanning-tree portfast
privilege interface level 7 no spanning-tree
privilege interface level 7 no shutdown
privilege interface level 7 no switchport
privilege interface level 7 no
privilege configure level 7 interface
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show startup-config
privilege exec level 7 show running-config
privilege exec level 7 show configuration
privilege exec level 7 show
Can anyone tell me if my understanding is correct? I was under the impression that Setting the commands in the TACACS command set negated the need for these commands on the switch, or is that just for the default privilege levels 0,1,15?
05-03-2018 06:35 AM
Did you ever discover the answer? I am running into the same thing right now, where I thought putting the commands in the command set would remove the need for setting command privilege levels on the switch.
05-05-2018 08:29 AM
05-06-2018 12:14 PM
Hi there. You are absolutely correct. By default, you have Privilege Levels 0,1 and 15 with commands assigned to those particular levels (see below). When a user is assigned to a privilege level, he/she will be able to run commands at or below that privilege level:
privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 — Includes all enable-level commands at the router# prompt.
In your example, by default, there are no commands that are assigned to privilege level 7. As a result, the users assigned to it will only be able to run commands that are assigned to Privilege Level 1 and 0. Thus, you have to move commands from Privilege Level 15 to Privilege level 7 (or below) in order for users assigned to Privilege Level 7 to be able to run them. For more information, you can check the following link:
https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html
If you want to make things easier, you can simply utilize Privilege Level 15 and then limit the commands that those users can execute through the command sets. That way, even though a user is Privilege Level 15, he/she can only run the commands that you have explicitly permitted through AAA.
I hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide