topic TACACS using Guest Identity store in Network Access Control

TACACS using Guest Identity store

melvillec — Tue, 03 Sep 2019 11:25:29 GMT

Hi All,

Our customer requires tacacs users to have an expiry date & time and for different ISE admins to create different types of tacacs users.

For this I have created sponsored guests users using the guest type Contractor group.

Now, if I use the network access name as that of the sponsored guest created, the tacacs rule works as required.

However, If I use the Identity group name Contractor, authorisation fails and it hits the default deny access shell profile.

Any idea how to get it working using the Identity Group name

Attached authorisation SS of both conditions.

PASSED LOG

Overview

Request Type	Authorization
Status	Pass
Session Key	ISE2673/356880508/180
Message Text	Device-Administration: Command Authorization succeeded
Username	netadmin@gmail.com
Authorization Policy	New Policy Set 1 >> NetAdmin
Shell Profile
Matched Command Set	PermitAll
Command From Device	enable

Authorization Details

Generated Time	2019-09-03 16:16:38.118 +5:30
Logged Time	2019-09-03 16:16:38.118
Epoch Time (sec)	1567507598
ISE Node	ISE2673
Message Text	Device-Administration: Command Authorization succeeded
Failure Reason
Resolution
Root Cause
Username	netadmin@gmail.com
Network Device Name	COE_3850_2
Network Device IP	192.168.40.8
Network Device Groups	IPSEC#Is IPSEC Device#No,Location#All Locations,Device Type#All Device Types
Device Type	Device Type#All Device Types
Location	Location#All Locations
Device Port	tty2
Remote Address	192.168.41.73

Authorization Attributes

All Request Attribues
All Response Attribues

TACACS Protocol

Authentication Method	None
Authentication Privilege Level	0
Authentication Type	ASCII
Authentication Service	None

Other Attributes

ConfigVersionId	74
DestinationIPAddress	192.168.40.73
DestinationPort	49
UserName	netadmin@gmail.com
Protocol	Tacacs
RequestLatency	24
Type	Authorization
Service-Argument	shell
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
AuthenticationIdentityStore	Guest Users
AuthenticationMethod	Lookup
SelectedAccessService	Default Device Admin
SelectedCommandSet	PermitAll
IdentityGroup	User Identity Groups:GuestType_Contractor (default)
SelectedAuthenticationIdentityStores	Guest Users
AuthenticationStatus	AuthenticationPassed
UserType	GuestUser
CPMSessionID	2429714507192.168.40.83361Authorization2429714507
IdentitySelectionMatchedRule	Authentication Rule 1
Network Device Profile	Cisco
IPSEC	IPSEC#Is IPSEC Device#No
Response	{Author-Reply-Status=PassAdd; }

FAILED LOG

Overview

Request Type	Authentication
Status	Fail
Session Key	ISE2673/356880508/132
Message Text	Failed-Attempt: Authentication failed
Username	netadmin@gmail.com
Authentication Policy	New Policy Set 1 >> Authentication Rule 1
Selected Authorization Profile	Deny All Shell Profile

Authentication Details

Generated Time	2019-09-03 16:09:23.858000 +05:30
Logged Time	2019-09-03 16:09:23.858
Epoch Time (sec)	1567507163
ISE Node	ISE2673
Message Text	Failed-Attempt: Authentication failed
Failure Reason	13036 Selected Shell Profile is DenyAccess
Resolution	Check whether the Device Administration Authorization Policy rules are correct
Root Cause	Selected Shell Profile fails for thsi request
Username	netadmin@gmail.com
Network Device Name	COE_3850_2
Network Device IP	192.168.40.8
Network Device Groups	IPSEC#Is IPSEC Device#No,Location#All Locations,Device Type#All Device Types
Device Type	Device Type#All Device Types
Location	Location#All Locations
Device Port	tty2
Remote Address	192.168.41.73

TACACS Protocol

Authentication Action	Login
Authentication Privilege Level	1
Authentication Type	ASCII
Authentication Service	Login

Other Attributes

ConfigVersionId	74
Device Port	3358
DestinationPort	49
UserName	netadmin@gmail.com
Protocol	Tacacs
RequestLatency	121
Type	Authentication
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
AuthenticationMethod	PAP_ASCII
SelectedAccessService	Default Device Admin
IdentityGroup	User Identity Groups:GuestType_Contractor (default)
SelectedAuthenticationIdentityStores	Guest Users
AuthorizationPolicyMatchedRule	Default
UserType	GuestUser
CPMSessionID	925757830192.168.40.83358Authentication925757830
StepLatency	8=2925
Network Device Profile	Cisco
IPSEC	IPSEC#Is IPSEC Device#No
Response	{AuthenticationResult=Passed; AuthorizationFailureReason=ShellProfileDenyAuthorization; Authen-Reply-Status=Fail; }

Attached logs for reference.

Re: TACACS using Guest Identity store

Arne Bier — Tue, 03 Dec 2019 01:06:44 GMT

Hi @melvillec

Did you get a resolution to this? It's an interesting use case for sure!

When you create a Guest Type (e..g Contractor) then you specify where to put the MAC address by specifying the Endpoint Identity Group. Do not confuse this with the User Identity Group (Group that is defined and can contain user accounts ... NOT Endpoints (MAC addresses))

This means, that guest accounts do not have a concept of a Guest Group. At best, you could check during Authentication, by looking up the Identity Source Sequence of "Guest Users", and then test whether the authenticating user is found during Authentication.

Re: TACACS using Guest Identity store

melvillec — Tue, 03 Dec 2019 05:07:18 GMT

Hi Arnie,

Thanks for your reply.

I still haven't got any resolution to this.

You are absolutely right as mentioned below that the Guest user identity group will not contain guest endpoint mac addresses, but only users accounts which we manually need to create. I had figured that out after testing.

If there was some way that ISE could store the guest user accounts created by the sponsor in an internal group, my use case would have been resolved.

I did however create a rule matching the guest user name in the TACACS authorization policy and it worked, but this is not feasible as customer will be creating random users due to which we cant go and make changes in the policy every time he creates an user.

Regards,

Melville

Re: TACACS using Guest Identity store

Arne Bier — Tue, 03 Dec 2019 11:45:11 GMT

Depending on how complex your Policy Sets are, have you considered building a Policy Set that performs Authentication against the "Guest Users", and then for good measure, you could make that an Authorization Rule as well (just for extra assurance that you're authorizing for that specific reason).

Re: TACACS using Guest Identity store

melvillec — Tue, 03 Dec 2019 14:15:19 GMT

Hi Arnie,

Thanks for your reply.

I was already using the Guest Users in the ISS.

Calling the Guest Users in the authorization policy will apply to all guest users and I will not be able to distinguish them as I need to create different policies for different tacacs users based on shell profiles and command sets.

Regards,

Melville

Re: TACACS using Guest Identity store

Jason Kunst — Tue, 03 Dec 2019 17:33:34 GMT

@melvillec wrote:

Hi Arnie,

Thanks for your reply.

I was already using the Guest Users in the ISS.

Calling the Guest Users in the authorization policy will apply to all guest users and I will not be able to distinguish them as I need to create different policies for different tacacs users based on shell profiles and command sets.

Regards,

Melville

Althought not a supported store to TACACS, perhaps this will help looking at the way we did it with Guest?

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-2129827407