Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1991
Views
2
Helpful
2
Replies

Catalyst 9800 GUI TACACS+ Command Set

Go to solution
rezaalikhani
VIP
VIP

‎02-03-2024 07:43 AM

Hi everybody;

Based on practical studies, Catalyst 9800 WLCs support command authorization for GUI access. Unfortunately, I am currently unable to set up the application of a defined Command Set in ISE for a user in GUI mode. Here is my configuration:

ISE side:

rezaalikhani_0-1706974521264.png

rezaalikhani_1-1706974561187.png

rezaalikhani_2-1706974674939.png

WLC side:

rezaalikhani_3-1706974889609.png

With the above configuration, when a user in the 'Helpdesks' group logs into the WLC GUI, he has the ability to perform actions equivalent to those of a user with admin privileges.

Is there any essential configuration that I may be overlooking?

Thanks

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎02-03-2024 10:16 AM

I don't think that will be supported as you configured privilege 15 in TACACS profile. Privilege 15 provides full access in this case, the guide mention that any user between privilege level 1 - 14 can only view the "Monitor" tab in the WLC, and any with privilege level 15 will be granted full admin access.

"Users with privilege level 15 and a command set that allows specific commands only are not supported. The user can still be able to execute configuration changes through the WebUI"
Configure RADIUS and TACACS+ for GUI and CLI Authentication on 9800 Wireless LAN Controllers - Cisco

 

View solution in original post

2 Replies 2

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎02-03-2024 08:40 AM

@rezaalikhani 

Try to change Privilege to 1

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎02-03-2024 10:16 AM

I don't think that will be supported as you configured privilege 15 in TACACS profile. Privilege 15 provides full access in this case, the guide mention that any user between privilege level 1 - 14 can only view the "Monitor" tab in the WLC, and any with privilege level 15 will be granted full admin access.

"Users with privilege level 15 and a command set that allows specific commands only are not supported. The user can still be able to execute configuration changes through the WebUI"
Configure RADIUS and TACACS+ for GUI and CLI Authentication on 9800 Wireless LAN Controllers - Cisco

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card