Hi experts,
I worked on ISE2.2 tacacs configuration for customer and have two issues below.
1. I assign "network-operator" role to specific AD group users by TACACS profiles. The user is assigned "network-operator" role successfully when login to nexus device, but still can execute all commands. When I disconnected TACACS server, user is authenticated and authorized locally and network-operator user has read-only permission correctly. Below is configuration.
aaa authentication login default group ise
aaa authentication login console group ise none
aaa authorization config-commands default group ise local
aaa authorization commands default group ise local
aaa accounting default group ise
2. "aaa authorization exec authentication-server auto-enable" is used for ASA AAA configuration. User through ssh session can enter exec mode(#) directly when assigned privilege 15 to this user. But the same user through console session only enter user mode(>).Below is configuration.
aaa authentication ssh console ise LOCAL
aaa authentication serial console ise LOCAL
aaa authentication enable console ise LOCAL
aaa authorization command ise LOCAL
aaa accounting command ise
aaa authorization exec authentication-server auto-enable
I am not sure if I miss something for those two issues.
br,
Martin
