TACACS Configuration on Cisco ISE

lnw-team · ‎08-17-2021

Hello,

I've got a question regarding TACACS configuration on Cisco ISE. There's a group of network devices that consists of approximately twenty access switches and the group of local admins (all of them are authenticated with AD account). My goal is to create administrative access for them so that they are able to logon, enter privilege mode and execute show * commands. Apart from that they should be able to enter configuration mode (configure terminal) and change configuration of physical interfaces. They should not be able to perform any other change (SNMP, NTP, STP, Syslog etc.). Please let me know if such configuration is possible and what steps should be taken to achieve this objective.

Thank you in advance!

balaji.bandi · ‎08-17-2021

You need to do some testings for the user, make sure you do not lock your self

i suggest to test with 1 user and before role out on other users :

below guide help you with custom authorization :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lnw-team · ‎08-18-2021

Hello,

Thank you for your help, however, it does not solve our issue. I've tried many times with a different set of commands but the results is pretty much the same. The users are not allowed to execute certain commands (such as "reload") which is desired behavior, however, they are able to execute EVERY command that is under "configure terminal" and our objective is to allow them to change only interface configuration.