I would like to create a TACACS profile in ISE to allow only certain configuration commands / sub-commands. I have most of this working - but need some assistance. Thank you for your time.
What i'm trying to do is create a profile that allows a 'helpdesk' user to configure only EIGRP commands on the router. I have one to allow them to show eigrp also.
Grant Command Arguments
PERMIT enable 7
PERMIT router eigrp
PERMIT show ip eigrp*
I am able to verify I can only issue show ip eigrp and config t / router eigrp commands. I can't do things like 'show clock' 'show ip ospf' 'router ospf 1' etc. ONLY the above commands I can execute - that is working. The issue i'm having is when I am in the eigrp process. Say i issue "config t" then "router eigpr 10" - I can't cofigure any commands within the EIGRP process. They are not listed in my command set - so this makes sense. What i'd like to know is if there is an easy way to allow these EIGRP sub commands or do i really have to go in the process - type a ? to see the avaiable commands and then add the top level commands to the command set? I'd like to think there is a much easier way to do this than that.
Thanks for the help. I've just configured all the EIGRP sub commands and this works. Was just hoping there was a nice/easy way to include sub-commands. I also found another post about interface sub-commands. Basically asking the same thing - just for interface configuration. Same solution. Just have to add each sub-command to the command set.