ISE command set not working as expected

mohanconnects · ‎03-06-2020

Hello,

I trying out ISE device administration, wanted to restrict for a user to send command 'username', so below is how I set TACACS+ profile and command sets.

TACACS+ profile

priv-lvl=4

command set

But when I tried to login, command username successfully get passed. Am I configuring it wrong, please guide.

Below username command actually sent without AAA error.

nexus88# config t
Enter configuration commands, one per line. End with CNTL/Z.

nexus88(config)# username ISE
warning: password for user:ISE not set. S/he may not be able to login
user steve does not have domain access to config Mo, class aaaUser

nexus88(config)# do sh ip int brief
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

nexus88(config)#

Thanks,

Mohan

Cristian Matei · ‎03-07-2020

Hi,

You gave not too much info to help out. Check that both Nexus and ISE are configured properly first. Look here, in the Nexus section:

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId-1977002717

Regards,

Cristian Matei.

mohanconnects · ‎06-13-2020

Thanks Cristian Matei

Marius Gunnerud · ‎06-13-2020

As Christian has mentioned you have not provided enough information on the issue you are facing. Check the TACACS live logs to see what policy and command set is being used.

--
Please remember to select a correct answer and rate helpful posts