08-26-2022 07:51 AM
I would like to create a TACACS profile in ISE to allow only certain configuration commands / sub-commands. I have most of this working - but need some assistance. Thank you for your time.
What i'm trying to do is create a profile that allows a 'helpdesk' user to configure only EIGRP commands on the router. I have one to allow them to show eigrp also.
Grant Command Arguments
PERMIT enable 7
PERMIT config*
PERMIT exit
PERMIT router eigrp
PERMIT show ip eigrp*
I am able to verify I can only issue show ip eigrp and config t / router eigrp commands. I can't do things like 'show clock' 'show ip ospf' 'router ospf 1' etc. ONLY the above commands I can execute - that is working. The issue i'm having is when I am in the eigrp process. Say i issue "config t" then "router eigpr 10" - I can't cofigure any commands within the EIGRP process. They are not listed in my command set - so this makes sense. What i'd like to know is if there is an easy way to allow these EIGRP sub commands or do i really have to go in the process - type a ? to see the avaiable commands and then add the top level commands to the command set? I'd like to think there is a much easier way to do this than that.
thanks again for your help.
Solved! Go to Solution.
08-26-2022 08:46 AM
If you like to configure eigrp process that is the only way you can do as per i know, there is no short cut if you using RBAC.
Any character in the command in the command set may be "?", which matches any individual character that must exist in the requested command
Any character in the command in the command set may be "*", which matches zero or more characters in the requested command
08-26-2022 08:46 AM
If you like to configure eigrp process that is the only way you can do as per i know, there is no short cut if you using RBAC.
Any character in the command in the command set may be "?", which matches any individual character that must exist in the requested command
Any character in the command in the command set may be "*", which matches zero or more characters in the requested command
08-26-2022 09:14 AM
Thanks for the help. I've just configured all the EIGRP sub commands and this works. Was just hoping there was a nice/easy way to include sub-commands. I also found another post about interface sub-commands. Basically asking the same thing - just for interface configuration. Same solution. Just have to add each sub-command to the command set.
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: