dc tacacs-commands

Synopsis

netapi ise dc tacacs-commands [OPTIONS]

Description

Get TACACS+ command authorization events. See what commands users are running on network devices - critical for compliance audit.

Options

Option Default Description

--hours, -h

24

Hours to look back

--limit, -l

50

Maximum records to return

--user, -u

(none)

Filter by username

--device, -d

(none)

Filter by device name or IP

--command, -c

(none)

Filter by command (partial match)

Usage

# Last 24 hours (default)
netapi ise dc tacacs-commands

# Filter by user
netapi ise dc tacacs-commands --user admin

# Filter by device
netapi ise dc tacacs-commands --device core-sw

# Find specific commands
netapi ise dc tacacs-commands --command "show run"

# Combine filters
netapi ise dc tacacs-commands --user admin --device core-sw --hours 48

Sample Output

TACACS Commands (last 24h)
──────────────────────────────────────────────────────────────────────────────
Time                 User      Status  Device       Command           Args
──────────────────────────────────────────────────────────────────────────────
2026-01-23 10:43:21  admin     Pass    core-sw-01   show              running-config
2026-01-23 10:41:08  admin     Pass    core-sw-01   configure         terminal
2026-01-23 10:38:55  admin     Pass    core-sw-01   interface         GigabitEthernet1/0/1

Use Cases

Compliance Audit

# All config changes this week
netapi ise dc tacacs-commands --command "configure" --hours 168

Investigate Incident

# What did this user do on this device?
netapi ise dc tacacs-commands --user netadmin --device edge-sw-02 --hours 48

Find Dangerous Commands

# Who ran write/erase commands
netapi ise dc tacacs-commands --command "write" --hours 168
netapi ise dc tacacs-commands --command "erase" --hours 168

See Also