Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ISE 2.2 command authorization based on submode

Chun-Taek Park
Cisco Employee
Cisco Employee

‎02-27-2018 11:12 PM

Hi Expert

I am testing ISE 2.2 Device admin(TACACS+) with Nexus platform.

I want to apply command authorization based on sub command mode per account(identity).

below is example I want to do.

Goal Summary

  • only restrict 'shutdown' command on interface config mode, not BGP config mode per account(identity).
  • basically, If I define deny 'shutdown' command on command set, this command sets applied all command mode like interface, BGP etc. but I want to restrict this command only on interface sub command mode.

Example

  • restrict 'shutdown' command on interface config mode
  • permit 'shutdown' command on BGP config mode

NX-OS(config)# interface ethernet 1/1

NX-OS(config-if)# shutdown                         ==> restrict

NX-OS(config-if)# exit

NX-OS(config)# router bgp 65001

NX-OS(config-router)# shutdown                  ==> permit

NX-OS(config-router)# neighbor 1.1.1.1

NX-OS(config-router-neighbor)# shutdown   ==> permit

OR

  • restrict 'shutdown' command on interface config mode, BGP process config mode
  • permit 'shutdown' command on BGP neighbor config mode

NX-OS(config)# interface ethernet 1/1

NX-OS(config-if)# shutdown                         ==> restrict

NX-OS(config-if)# exit

NX-OS(config)# router bgp 65001

NX-OS(config-router)# shutdown                  ==> restrict

NX-OS(config-router)# neighbor 1.1.1.1

NX-OS(config-router-neighbor)# shutdown   ==> permit

Do you have any idea to do this ?

Regards,

1 person had this problem
0 Helpful
Who Me Too'd this topic