06-07-2021 03:35 AM
I use ISE for device administration. We have created Read Only and Read/Write command profiles. Read/Write level 15.
for the read only we set the privilege level 3 and then restricted the commands that could be executed.
the dir command was permitted for read only users but when executed the system comes back as command authorization fail.
I increasing privilege levels makes no differences.
sh run can only be executed with a priv level of 15. My testing shows the same for the dir command.
Question is there a Cisco page that shows what commands can be issued at each level. My understanding was that levels 2-14 were user defined. This clearly doesn't seem to be the case.
06-07-2021 03:39 AM
best way to remidate this issue is, go higher level like priv 5 or more, and give restrict with commands is good option i see,
I know bit odd some of the command do not work until we elivate user rights for cetain commands.
06-07-2021 03:46 AM
thanks for the response but I set the priv level to 14 and dir command is still not permitted.
06-07-2021 04:02 AM
what is the ISE Live Logs shows ?
Have given access or added command access.
example as below :
https://integratingit.wordpress.com/2018/05/03/configuring-ise-tacacs/
https://wrmem.net/index.php/2019/06/11/cisco-ise-configuring-tacacs-device-management/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide