show running-config
show version
show banner pre-login
According to the Cisco ISE CLI guide the role - admin or user, decides the privileges of the current user.
A regular user with no admin access cannot execute the "show running-config" command, which is the primary command needed for the scans. Hence, the minimal privilege for a successful Cisco ISE ML scan is the Admin role.
Username: cli_admin
Role: Admin
pcteam/cli_admin# show
application clock disks ip memory repository startup-config timezones version
backup container icmp_status ipv6 ntp restore tech-support udi
banner cpu interface logging ports running-config terminal uptime
cdp crypto inventory logins process snmp-server timezone users
pcteam/cli_admin# show running-config
Generating configuration...
!
hostname pcteam
!
ip domain-name rdlab.in01.qualys.com
!
ipv6 enable
!
interface GigabitEthernet 0
ip address xx.xxx.xxx.xxx 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
interface GigabitEthernet 1
shutdown
ipv6 enable
!
ip name-server xx.xxx.xxx.xx xx.xxx.xxx.xx
!
ip default-gateway xx.xxx.xxx.x
!
!
clock timezone UTC
!
ntp authentication-key 1 MD5 hash 351552f0bea3699dadd8c1304a74b2f2
ntp server time.nist.gov
!
username admin password hash $6$owEJSDbBzELl850g$qPCr86cAvLYEk1dDMHXArvJqByF09JmUEZgXT81htOVHWhaLgiRL//vPglkzqDd1NMDgdOFYMzbOUBb5Omxad/ role admin
username duke password hash $6$Lbjy8vtkLQte5duY$5KeKfL.TFJGbJ1O9Pg7GHXcrjRMrCIcgcAP/FzbGoj5sJ1rIec45GFIILfavkc9KlTfWWlJwSB/.Z1W1u02Rl0 role user
username cli_admin password hash $6$CnS3uzVeCD4eEfY7$uKIuRiiLk/4aVRN6fpByBSw6KnE6lST4iRSRKUGhC5ljL5EudxVwvLoGbDlmzqG1z9ziN7LWODODV2sW.pLIV1 role admin
!
!
service sshd enable
service sshd key-exchange-algorithm ecdh-sha2-nistp521
:
pcteam/cli_admin# show version
Cisco Application Deployment Engine OS Release: 3.1
ADE-OS Build Version: 3.1.0.135
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2021 by Cisco Systems, Inc.
All rights reserved.
Hostname: pcteam
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 3.1.0.518
Build Date : Mon Aug 9 20:28:55 2021
Install Date : Thu Sep 22 11:48:56 2022
pcteam/cli_admin# show banner pre-login
No pre-login banner installed
Username: duke
Role: User
pcteam/duke> show
cdp cpu disks interface logins ntp process timezone uptime
clock crypto icmp_status inventory memory ports terminal udi version
pcteam/duke> show running-config
^
% invalid command detected at '^' marker.
pcteam/duke> show version
Cisco Application Deployment Engine OS Release: 3.1
ADE-OS Build Version: 3.1.0.135
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2021 by Cisco Systems, Inc.
All rights reserved.
Hostname: pcteam
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 3.1.0.518
Build Date : Mon Aug 9 20:28:55 2021
Install Date : Thu Sep 22 11:48:56 2022
pcteam/duke> show banner pre-login
^
% invalid command detected at '^' marker.