View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0206 - ISE 2.0 TACACS+ Device Admin with Command Authorization (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video continues from our previous lab on Cisco ISE 2.0 TACACS+. We will demonstrate an extended usage of shell privilege, and support for command authorization. We will attempt to enforce various privilege level and allowed command sets to both local and AD users. We will test our configuration on Cisco switch and ASA.
 
Part 1 of this video covers policy configuration on ISE
 
Topic:
  • TACACS+ Shell Privileges and Command Authorization
  • Shell Profile
  • Command Set
  • Authorization Policy
  • Switch and ASA Authorization

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

2 comments

Hi Metha,
Please could you explain the difference BTW the Max privilege and the default privilege.?

Also, I can seee that command set is enough, so can we only configure the command set only and will be enough OR we should configure the shell profile also.

BR

Default privilege is the privilege user get immediately after a successful login. Max privilege determines the highest privilege level a user can elevate themselves using 'enable command.

Shell privilege determines what commands are available for the user. Without setting Shell privilege, the user will be dropped into priv 1 and will not have the whole lot of command available which make command auth somewhat irrelevant. Only after user gets to, usually, priv 15 where all commands are available, command auth can further be used to make only certain group of command usable for users. 

To answer your question, technically you do not need to set Shell Profile and just use command auth as long as it gives the result you need.