Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1968
Views
0
Helpful
6
Replies

Command Set is not implemented

robad
Level 1
Level 1

‎05-26-2019 12:09 AM

Hi Guys

We having ISE 2.4.0.320, and there is some issue with TACACS's Command Set that is not implementing for some reason.

 

We need that clients will be able to connect to "Terminal Servers" [Cisco's Router], and will be able to run only the command "clear line". that's it, and nothing more than that .

 

You can see the Policy Set + Command Set attached here.

There result is the clients can access to those those devices, but, they have full privilege ... which is very bad.

I tried to play little bit with the command set and with the 'shell profile', but I'm getting only 2 results :

1. the user have full privilege to the device

2. the user can't access to the device at all 

 

 

Can you please assist ?

Thanks in advance

Ron 

Preview file
12 KB
Preview file
18 KB
0 Helpful
6 Replies 6

Sheraz.Salim
VIP
VIP

‎05-26-2019 08:04 AM

curious what IOS config you have on the Router. just for the reference make sure your configure on the Router is accurate.

as an example

=============================================================

Router
!
ip domain-name secure-x.local
domain-name 192.168.100.72
!
hostname Router
!
crypto key gen rsa label Router mod 1024
!
interface gig3
 ip address 192.168.100.231 255.255.255.0
 des *****MGMT*******
 no shut
!
ip access-list ext VTY-ACCESS
 permit 192.168.100.0 0.0.0.255 eq ssh
!
enable sec cisco
!
username admin priv 15 password cisco
!
aaa new-model
aaa group server tacacs+ ISE
 server name ISE
aaa authentication login default local
aaa authentication login CON none
aaa authentication login VTY group ISE local
aaa authentication enable default group ISE enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON none
aaa authorization exec VTY group ISE local if-authenticated
aaa authorization commands 1 VTY group ISE local if-authenticated
aaa authorization commands 15 VTY group ISE local if-authenticated
aaa accounting exec default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
!
tacacs server ISE
 address ipv4 192.168.100.71
 key cisco
!
line con 0
 exec-timeout 0 0
 authorization exec CON
 login authentication CON
 stopbits 1
line vty 0 4
 access-class VTY-ACCESS in
 exec-timeout 0 0
 authorization commands 1 VTY
 authorization commands 15 VTY
 authorization exec VTY
 login authentication VTY
 transport input ssh
!
tacacs server ISE
 address ipv4 192.168.100.71
 key cisco
!
aaa group server tacasc+ ISE
 server name ISE
!

please do not forget to rate.
0 Helpful

robad
Level 1
Level 1
In response to Sheraz.Salim

‎05-27-2019 12:20 AM

Hi, thanks for your reply

 

Here is the commands related to TACACS on my routers

 

Just notice please, that until few weeks we used old ACS version, and it worked.

And also, we have same issue with our switches, when we're trying to give clients access to run only "show" commands on our switches, it's not working too. so I suspect it's something I'm doing wrong with the "shell profile" or "command set"

 

Here it is :


aaa new-model
aaa group server tacacs+ ISESERVER
server 10.10.10.110
!
aaa authentication login default local group tacacs+
aaa authentication login console local
aaa authentication login login-none none
!

tacacs-server host 10.10.10.110 key SecretTopp78!

.

.

.

.

 

But for the "line vty 0 4" commands, it's strange...

Should I add there :

authorization commands 15 BlaBla
authorization exec privilege15

?

 

I should insert commands with name of my "shell profile" and "commad set" ?

 

1. Can you please explain ?

2. From what you see on my screenshots. is it look OK ?

 

 

Thanks in advance

Ron

0 Helpful

robad
Level 1
Level 1
In response to robad

‎05-28-2019 04:02 AM

You know what ? I think I understand where is y issue, and now I'll ask my question differently :

 

Which commands should I set on my switch, in order that 'admins' will be able to access with priv 15, and 'clients' will be able to run only specific command, and the details are :

 

my tacacs server IP : 10.10.10.110

'admins' command set name : 'All Commands'

'client' command set name : 'Show Only'

Both shell profile called : "ios", and it gives priv 15

 

Now,

I'm formating my switch, and he is free from config. which config should I set there ?

 

Thanks a lot in advance

Ron

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to robad

‎05-28-2019 02:50 PM

Commands are set on the AAA server. If you have switching question please put on appropriate community
0 Helpful

robad
Level 1
Level 1
In response to Jason Kunst

‎05-29-2019 12:57 AM

Hi Jason,

It's not a switching question

Is which AAA commands should I set on my switch in order to get the TACACS Server's rules to be implemented.

 

 

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to robad

‎05-29-2019 08:16 AM

It’s a switch platform. Good for the switching community as well
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card