02-16-2021 03:18 AM - edited 07-05-2021 01:14 PM
Hi,
We are migrating from AiroS controllers to 9800 platform.
In AirOS we used to give two types of access to Admin users using role supplied from ISE.
1.FULL
2. MONITOR
Now we want similar thing in 9800, which is IOS XE. In our environment we have a lot of OS XE devices and we have configured with command authorization in AAA configuration to customize admin access. Now if we replicate the same thing in 9800 configuration CLI is working fine. But in case of GUI access it is throwing a bunch of requests( sometime 20 show commands ) for command authorization to AAA, the moment we try to open or browse any page using HTTPS access. Page is loading very slow due to that.
Just wondering if anyone set this up already as this seems a very common requirement of customized admin access and command authorization from AAA basis user roles.
Here is the configuration for command authorization.
aaa authorization config-commands
aaa authorization commands 1 default group ISE local
aaa authorization commands 15 default group ISE local
Thanks in advance.
02-16-2021 08:44 AM
Our SE queried with wireless network business unit and told us command authorization for GUI is currently not supported.
He also added that it may be difficult to implement because the GUI uses the API to read and write config to the WLC so it's difficult to map API calls to individual commands so remains to be seen if/when they fix it and how they choose to do it.
There are 2 "feature enhancement" bugs filed for this (ignore the fact that one of them says only 2600 - it's actually for 9800 lol)
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs94910
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu91616
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide