Re: Help with new tacacs user on cisco devices

Yusef Duarte · ‎05-07-2023

Hi guys, I'm starting my first job as a network administrator, and I was asked to create a taccacs+ server user with privileges only to see show* commands on the Cisco network, but it turns out that when I log in to the network I still have privileges administrator, how can I change the access level on the Cisco equipment for that user only? Indeed, since the network was already being authenticated through that taccas+ server, the user gives access to register, but my query is more specifically, what should I do to lower the permissions of that user on the Cisco equipment?, and what are they? the commands to create the minimum access group on cisco equipment since this network only had administrator users and this group is new

Mathias Garcia · ‎05-08-2023

It would depend on what you are using as a tacacs+ server.
But you would have to specifically allow only certain commands.
Here is a guide about doing it on with ISE.
Cisco ISE - Configuring TACACS+ Authentication for Device Administration — WIRES AND WI.FI

You could probably do it with privilege levels, but that's a bit more complicated since you would have to make sure the privilege levels for the different commands are set to the right level. say 5, just something lower than 15.

Richard Burts · ‎05-08-2023

It is tempting to think about using tacacs to restrict the privilege level of the new user ID. But I do not think this would satisfy the requirement specified in the original post " user with privileges only to see show* commands". If they really mean only show commands then I believe that using authorization for that user in the tacacs server would be the better approach.

HTH

Rick