08-17-2021 12:03 AM
Hello,
I've got a question regarding TACACS configuration on Cisco ISE. There's a group of network devices that consists of approximately twenty access switches and the group of local admins (all of them are authenticated with AD account). My goal is to create administrative access for them so that they are able to logon, enter privilege mode and execute show * commands. Apart from that they should be able to enter configuration mode (configure terminal) and change configuration of physical interfaces. They should not be able to perform any other change (SNMP, NTP, STP, Syslog etc.). Please let me know if such configuration is possible and what steps should be taken to achieve this objective.
Thank you in advance!
08-17-2021 02:07 AM
You need to do some testings for the user, make sure you do not lock your self
i suggest to test with 1 user and before role out on other users :
below guide help you with custom authorization :
08-18-2021 04:03 AM
Hello,
Thank you for your help, however, it does not solve our issue. I've tried many times with a different set of commands but the results is pretty much the same. The users are not allowed to execute certain commands (such as "reload") which is desired behavior, however, they are able to execute EVERY command that is under "configure terminal" and our objective is to allow them to change only interface configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide