Hey,
I'm doing a new setup for our TACACS on the 6.9 code train, currently running 6.9.0 but will be going to 6.9.6 after clustering is enabled. However, I'm running into an issue with authorization with our cisco infrastructure.
I have my enforcement profiles set up correctly, but what I'm not seeing is "do" commands show up in the authorization so they are being allowed.
The enforcement profile I'm currently working on is one with priv 15 that allows show commands and int shut / no shut but nothing else. I am not allowing unmatched commands. When in priv exec, you can't do things like reload or write erase etc, but if you go into global config, it allows you to do "do reload" or "do write erase" which obviously is no good. When I look at the authorization list, I do not see the do or do-exec commands there. What gives? Haven't done a packet capture from clearpass but that's next.
Any ideas?
Edit-----
Nevermind, I figured it out. I needed to remove
aaa authorization commands 15 default group tacserver if-authenticated
and added
aaa authorization config-commands
aaa authorization commands 15 default group tacserver