Re: Cisco IOS/IOS-XE command vs privilege levels

russell.sage · ‎06-07-2021

I use ISE for device administration. We have created Read Only and Read/Write command profiles. Read/Write level 15.

for the read only we set the privilege level 3 and then restricted the commands that could be executed.

the dir command was permitted for read only users but when executed the system comes back as command authorization fail.

I increasing privilege levels makes no differences.

sh run can only be executed with a priv level of 15. My testing shows the same for the dir command.

Question is there a Cisco page that shows what commands can be issued at each level. My understanding was that levels 2-14 were user defined. This clearly doesn't seem to be the case.

balaji.bandi · ‎06-07-2021

best way to remidate this issue is, go higher level like priv 5 or more, and give restrict with commands is good option i see,

I know bit odd some of the command do not work until we elivate user rights for cetain commands.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

russell.sage · ‎06-07-2021

thanks for the response but I set the priv level to 14 and dir command is still not permitted.

balaji.bandi · ‎06-07-2021

what is the ISE Live Logs shows ?

Have given access or added command access.

example as below :

https://integratingit.wordpress.com/2018/05/03/configuring-ise-tacacs/

https://wrmem.net/index.php/2019/06/11/cisco-ise-configuring-tacacs-device-management/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help