In this article, we take a look at how to configure a TACACS Command Set in Cisco ISE to enable non-administrator staff to use both show commands and configuration commands related to certain interfaces (typically access ports).
Introduction
Sometimes in bigger networks, you want your helpdesk or non-networking staff to be able to perform simple tasks on network devices, like running “show” commands for troubleshooting purposes or changing the VLAN or description of an access port. Using TACACS Command Set in Cisco ISE, we are going to create a limited set of good-to-have commands for this specific use case.
TACACS Command Set Example of Basic Commands
Now, everyone probably has their own idea of what kind of commands should be a part of “basic access” to network devices, so the following examples if only my view of what could be considered useful for this particular use case.
We will assume that this basic access revolves around a typical Cisco Catalyst 9K switch where all the GigabitEthernet interfaces are endpoint access ports (and therefore allowed to be configured by this Command Set) and all other physical interfaces (TenGig, TweGig, etc.) are trunk/routed interfaces that the be denied configuration by the Command Set. Some light Regular Expressions (“regex”) in the Arguments column are used to accomplish this.
In addition to interface and MAC-address related “show” commands and configuration commands, I think it’s pretty useful to also permit basic troubleshooting commands such as “ping” and “traceroute”.
One this that is kind of unfortunate is that there is no way to quickly add a bunch of commands to a Command Set all at once unless you are familiar with the ISE API, so you will probably have to input these rows of commands manually, one by one.
The complete TACACS Command Set configuration can be found below, so go ahead and create a new TACACS Command Set with a proper name, like “PermitInterfaceCommands” and add all of the commands and arguments below to it. In some cases, the argument will be empty.
| GRANT | COMMAND | ARGUMENT |
|---|---|---|
| PERMIT | show | ip interface brief |
| PERMIT | do-exec | sh* ip int* br* |
| PERMIT | show | interfaces* |
| PERMIT | do-exec | sh* int* |
| PERMIT | show | run* int* ^[Gg].* |
| PERMIT | do-exec | sh* run* int* ^[Gg].* |
| PERMIT | show | mac address-table* |
| PERMIT | do-exec | sh* mac ad* |
| PERMIT | show | vlan brief |
| PERMIT | do-exec | sh* vl* br* |
| PERMIT | show | cdp neighbors |
| PERMIT | do-exec | sh* cd* ne* |
| PERMIT | configure | terminal |
| DENY | interface | ^(Te|Tw|H|F).* |
| PERMIT | interface | ^[Gg].* |
| PERMIT | interface | range ^[Gg].* |
| PERMIT | switchport | access vlan* |
| PERMIT | description | |
| DENY | shutdown | vlan* |
| DENY | no | shutdown vlan* |
| PERMIT | shutdown | |
| PERMIT | no | shutdown |
| PERMIT | ping | |
| PERMIT | do-exec | ping* |
| PERMIT | traceroute | |
| PERMIT | do-exec | trace* |
| PERMIT | write | memory |
| PERMIT | do-exec | wr* me* |
| PERMIT | logout | |
| PERMIT | exit |