Re: 9800 Full Readonly WebUI

Tobias Heisele · ‎02-02-2026

Hi,

I try to create a full menu readonly user role for a 9800 WebUI. Privilege 1 shows only the Monitoring menu, but privilege 15 + command authorization (limited to "show *") does not work - the user is still able to do configuration changes. And I do not see any command authorization request in tacacs log.

Is there some kind of blueprint? I tries these commands.

aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 15 CMD_AUTH_LVL15 group dnac-network-tacacs-group local
!
ip http authentication aaa login-authentication VTY_authen
ip http authentication aaa exec-authorization VTY_author
ip http authentication aaa command-authorization 15 CMD_AUTH_LVL15
ip http secure-server

Mark Elsen · ‎02-02-2026

- @Tobias Heisele You can't restrict to read-only with TACACS based authentication :
Ref https://community.cisco.com/t5/wireless/catalyst-9800-gui-tacacs-command-set/m-p/5012451/highlight/true#M266247

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Cristian Matei · ‎02-02-2026

Hi,

@Tobias Heisele What you're trying to achieve is not possible, having a read-only user account with complete access to GUI. See section Read-Only User Restrictions from following document:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html#toc-hId-1371738186

There's also an bug / NFR / enhancement request for this functionality, not yet developed:

https://bst.cisco.com/bugsearch/bug/CSCwf12569?rfs=qvlogin

Thanks,

Cristian.