cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
15
Helpful
4
Replies
NWJ
Beginner
Beginner

TACACS with HTTP Authentication - Cisco 9800

Hi All,

 

I've recently added TACACS to web UI authentication but it seems I can only have two privledge levels:

 

Level 1 - Can only view monitoring tab, no config settings or troubleshooting.

 

Level 15 - can view all and make changes.

 

 

Is there a way I can have a mix of the two. i.e. you are able to view all config settings but you cannot commit any changes without being elevated?

We'd achieved this on AireOS with 8540 WLCs where you could view all tabs in GUI but could not commit any changes or enter some sub areas for configuration.

 

Any help would be appreciated

1 ACCEPTED SOLUTION

Accepted Solutions
Scott Fella
Hall of Fame Guru

I don't believe this is possible for IOS in general and http.  AireOS you can define the roles and in IOS you define the privilege.  Maybe have them learn the CLI where you can allow certain commands and give then read-only to the GUI.

-Scott
*** Please rate helpful posts ***

View solution in original post

4 REPLIES 4
balaji.bandi
VIP Master

I am still playing with Cat 9800 ( you can give Priv 15 and restrict user using TACACS i guess - but not tested)

 

check this ( sorry if this was not helpfull)

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Scott Fella
Hall of Fame Guru

I don't believe this is possible for IOS in general and http.  AireOS you can define the roles and in IOS you define the privilege.  Maybe have them learn the CLI where you can allow certain commands and give then read-only to the GUI.

-Scott
*** Please rate helpful posts ***

View solution in original post

Grendizer
Cisco Employee

We don’t have the same TACACS config and results with 9800 as we do with AireOS, with 9800, there is difference between the CLI and GUI, the monitor in GUI give you read only access (no difference between privileges 1 to 14) while the CLI can be different for privileges (2 to 14) as any Cisco Switch by customization considering the default privilege access levels (0 “cli exec mode only without read access and no access to gui” , 1 “Read Only in both cli and gui” , 15 “Admin in both cli and gui”)

You can also have Lobby admin with GUI (There is no lobby-admin concept in CLI) and the Lobby admin can be local to the 9800 or remote thru AAA

Lobby admin local configs example below: (will not be able to access the CLI)

user-name lobby_admin_local

type lobby-admin

password 0 password

 

Lobby admin remote aaa example below: (Will be able to access the CLI so it’s better to give it priv 0), GUI will only show (Guest User) and (Allowed Users) tabs and the lobby admin can add/delete guests and can’t do anything from cli.

(( add Cisco-av-pair on radius or tacacs user-type=lobby-admin and shell:priv-lvl=0 ))

aaa authentication login <method-list> group radius/tacacs

aaa remote username <remote-lobby-admin>

 

Note: Check this enhancement "CSCvu29748 - External lobby admin enhancement request to avoid using aaa remote command” https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu29748 this is included in 17.3.3 and 17.5.1. So, there is no need to configure “aaa remote username <remote-lobby-admin>” in config and WLC can apply lobby-admin attribute from AAA (Radius/Tacacs). If you configure “aaa remote username <remote-lobby-admin>” with lobby-admin attribute from AAA then you will not be able to login using that user from GUI or CLI.

NWJ
Beginner
Beginner

Thanks both @Scott Fella and @Grendizer. I was trying to adopt the ISE policty sets we already have in place but looks like I need to build from scratch for this device.

Create
Recognize Your Peers
Content for Community-Ad