Solved: Want to enable command running-config for read only users

Chandhuru sekaran marimuthu · ‎03-21-2021

Hello Everyone,

I would I like to enable show running-configuration or Show configuration for read only users through ISE.

I am new to ISE, please help me on this.

we have two privilege in ISE, one is Full access and another is read only. Read only users unable to see running config. We need to enable this specific command. How can I do for Cisco switches.

by the way we are multi vendor network. Want to enable display current-configuration command for HP switches as well.

please help me on ISE config or any command want to configure in switches ??? Please help me. Thanks!!!

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Rich R · ‎03-21-2021

http://www.labminutes.com/sec0206_ise_20_tacacs_device_admin_command_authorization_1

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-configuration-examples-list.html

https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/td-p/3577202

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

balaji.bandi · ‎03-21-2021

show run is a bit tricky to achieve with read-only - it required higher privileges

i suggest to easy achieve is - user with 15 priv and lock the user to only show run command (or any other command you like (not config t)

https://bluenetsec.com/priv-level-15-with-cisco-ise/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Chandhuru sekaran marimuthu · ‎03-21-2021

Thanks Balaji!!!

It is working for Cisco devices.

For as HP switches, if we set privilege as 15 then it didnt checking command sets. Do you have any idea for that?

Thanks and regards, Chandhuru.M

hslai · ‎03-21-2021

Chandhuru sekaran marimuthu, This thread is a dup of your other discussion Want to enable command running-config for read only users.

Please read the response from the other thread.

The example from Privilege Level 15 with Cisco ISE | Blue Network Security (bluenetsec.com) is using RADIUS and the command sets are for T+ only. Device administration is very specific to the network devices. Please consult with the admin guides or other info on the particular HP switches for available options and how to implement them.

Rich R · ‎03-21-2021

http://www.labminutes.com/sec0206_ise_20_tacacs_device_admin_command_authorization_1

https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-configuration-examples-list.html

https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/td-p/3577202

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

hslai · ‎03-21-2021

This appears a duplicate of Want to enable command running-config for read only users - Cisco Community