- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2022 07:51 AM
I would like to create a TACACS profile in ISE to allow only certain configuration commands / sub-commands. I have most of this working - but need some assistance. Thank you for your time.
What i'm trying to do is create a profile that allows a 'helpdesk' user to configure only EIGRP commands on the router. I have one to allow them to show eigrp also.
Grant Command Arguments
PERMIT enable 7
PERMIT config*
PERMIT exit
PERMIT router eigrp
PERMIT show ip eigrp*
I am able to verify I can only issue show ip eigrp and config t / router eigrp commands. I can't do things like 'show clock' 'show ip ospf' 'router ospf 1' etc. ONLY the above commands I can execute - that is working. The issue i'm having is when I am in the eigrp process. Say i issue "config t" then "router eigpr 10" - I can't cofigure any commands within the EIGRP process. They are not listed in my command set - so this makes sense. What i'd like to know is if there is an easy way to allow these EIGRP sub commands or do i really have to go in the process - type a ? to see the avaiable commands and then add the top level commands to the command set? I'd like to think there is a much easier way to do this than that.
thanks again for your help.
Solved! Go to Solution.
- Labels:
-
AAA
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2022 08:46 AM
If you like to configure eigrp process that is the only way you can do as per i know, there is no short cut if you using RBAC.
-
Any character in the command in the command set may be "?", which matches any individual character that must exist in the requested command
-
Any character in the command in the command set may be "*", which matches zero or more characters in the requested command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2022 08:46 AM
If you like to configure eigrp process that is the only way you can do as per i know, there is no short cut if you using RBAC.
-
Any character in the command in the command set may be "?", which matches any individual character that must exist in the requested command
-
Any character in the command in the command set may be "*", which matches zero or more characters in the requested command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2022 09:14 AM
Thanks for the help. I've just configured all the EIGRP sub commands and this works. Was just hoping there was a nice/easy way to include sub-commands. I also found another post about interface sub-commands. Basically asking the same thing - just for interface configuration. Same solution. Just have to add each sub-command to the command set.
Thanks again.
