I would like to create a TACACS profile in ISE to allow only certain configuration commands / sub-commands. I have most of this working - but need some assistance. Thank you for your time.
What i'm trying to do is create a profile that allows a 'helpdesk' user to configure only EIGRP commands on the router. I have one to allow them to show eigrp also.
Grant Command Arguments
PERMIT enable 7
PERMIT router eigrp
PERMIT show ip eigrp*
I am able to verify I can only issue show ip eigrp and config t / router eigrp commands. I can't do things like 'show clock' 'show ip ospf' 'router ospf 1' etc. ONLY the above commands I can execute - that is working. The issue i'm having is when I am in the eigrp process. Say i issue "config t" then "router eigpr 10" - I can't cofigure any commands within the EIGRP process. They are not listed in my command set - so this makes sense. What i'd like to know is if there is an easy way to allow these EIGRP sub commands or do i really have to go in the process - type a ? to see the avaiable commands and then add the top level commands to the command set? I'd like to think there is a much easier way to do this than that.
thanks again for your help.