Hello,
I have created the below tacacs command set in ISE.
When testing I am able to issue the commands conf t and exit but I can not run any show commands. I was intending to deny "show version" and then permit any other show commands but for some reason all "show" commands are being denied.
I moved the permit s*w .* above the deny show v* and all worked fine. I was under the impression that the way I have set this up in the screenshot then after issuing a "show run" it would skip past the deny show v* and be permitted by the permit s*w .*
Can anyone see if I am making an obvious error?
Thanks
Nick
Accepted Solutions
Hi Nick
Very good question. I hadn't noticed this before. And I am keen to get a Cisco response on this. I am still on ISE 2.2 patch 2 and upgrading to ISE 2.3 patch 1 tomorrow. My experience with the TACACS functionality has been not so good - I have had issues were the PAN no longer sent the TACACS programming to the PSN nodes. I configured the he&*% out of the Policy Sets and none of it landed on the PSNs! Only after restarted the PAN, my PSN's got programmed again.
I tried the stuff below and no matter which way around I put the sh commands, I cannot execute the logic you want. I.e when I have it as shown below, then
show run fails
show ver fails
When I have it as follows
then
show run passes
show ver passes
How bizarre.
