Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1866
Views
0
Helpful
2
Replies

TACACS - specific commands only

Go to solution
wannabCCIE
Level 1
Level 1

‎08-26-2022 07:51 AM

I would like to create a TACACS profile in ISE to allow only certain configuration commands / sub-commands.  I have most of this working - but need some assistance.  Thank you for your time.

What i'm trying to do is create a profile that allows a 'helpdesk' user to configure only EIGRP commands on the router.  I have one to allow them to show eigrp also.

Grant                   Command          Arguments

PERMIT                enable                  7

PERMIT                config*

PERMIT                exit

PERMIT                router                   eigrp

PERMIT                show                    ip eigrp*

 

I am able to verify I can only issue show ip eigrp and config t / router eigrp commands.  I can't do things like 'show clock' 'show ip ospf' 'router ospf 1' etc.  ONLY the above commands I can execute - that is working.  The issue i'm having is when I am in the eigrp process.  Say i issue "config t" then "router eigpr 10" - I can't cofigure any commands within the EIGRP process.  They are not listed in my command set - so this makes sense.  What i'd like to know is if there is an easy way to allow these EIGRP sub commands or do i really have to go in the process - type a ? to see the avaiable commands and then add the top level commands to the command set?  I'd like to think there is a much easier way to do this than that.

 

thanks again for your help.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-26-2022 08:46 AM

If you like to configure eigrp process that is the only way you can do as per i know, there is no short cut if you using RBAC.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html

 

  • Any character in the command in the command set may be "?", which matches any individual character that must exist in the requested command

  • Any character in the command in the command set may be "*", which matches zero or more characters in the requested command

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc12

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-26-2022 08:46 AM

If you like to configure eigrp process that is the only way you can do as per i know, there is no short cut if you using RBAC.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html

 

  • Any character in the command in the command set may be "?", which matches any individual character that must exist in the requested command

  • Any character in the command in the command set may be "*", which matches zero or more characters in the requested command

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc12

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
wannabCCIE
Level 1
Level 1
In response to balaji.bandi

‎08-26-2022 09:14 AM

Thanks for the help.  I've just configured all the EIGRP sub commands and this works.  Was just hoping there was a nice/easy way to include sub-commands.  I also found another post about interface sub-commands.  Basically asking the same thing - just for interface configuration.  Same solution.  Just have to add each sub-command to the command set.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents