topic Re: Authorization Error in Network Access Control

Authorization Error

jaert.aguiar — Thu, 07 Jun 2018 15:44:10 GMT

Hello,

I'm trying to connect to an ethernet switch that is configurated to access the ISE CISCO server.

Before I start the tests with ISE CISCO, I used the TACACS.net server. I configured in this server a local user and defined the default profile Authorization Policy with this parameter: priv-lvl=7. The authentication and authorization were OK to TACACS.net server.

Now, I'm trying to configurate the access to the ISE CISCO. I have downloaded the ISE CISCO Evaluation virtual machine and configured access:

1 - Definition of Network Device

2 - Definitiion of TACACS Profile with rules to authentication and authorization

I tried to login in the ethernet switch using ISE CISCO like a TACACS server and received the error in the authorization. The authentication as OK.

I checked the authentication report and was used the policy that I defined.

In the authorization report, the column "Authorization Policy" is empty.

How can I define the ISE Server to apply the authorization policy and avoid the error?

Re: Authorization Error

Timothy Abbott — Thu, 07 Jun 2018 17:03:58 GMT

Hi,

Have you seen our how-to guides on setting up TACACS+ support in ISE for IOS devices?

https://communities.cisco.com/docs/DOC-64031

Regards,

-Tim

Re: Authorization Error

jaert.aguiar — Thu, 07 Jun 2018 17:21:10 GMT

Hello,

I have seen the tutorials, but I'm trying to connect a ethernet swith from NR manufacturer that is used in a energy substation.

This ethernet switch has just a place where we can put the TACACS server IP, port, timeout and shared key.

I would like to understant why the ISE CISCO not run any authorization policy, even the default policy.

In some youtube videos, I could see that when there is a error of authorization, is showed what policy was tested.

Re: Authorization Error

Dustin Anderson — Thu, 07 Jun 2018 21:46:44 GMT

So authentication is showing green, can you post the step data?

Authorization is usually checking commands against the set command set, so will not see a policy.

Here is a snipit from mine. Authentication show polict, authz does not.

Re: Authorization Error

jaert.aguiar — Thu, 07 Jun 2018 23:23:44 GMT

Hello Dustin,

Thanks for your return.

I could see in your report that the column Authorization Policy has values when the type is "Authorization".

This is the point.

In my case, this column never has values, indicating that the Authorization Police is never checked.

Re: Authorization Error

jaert.aguiar — Thu, 07 Jun 2018 23:55:14 GMT

This is my Tacacs Live Log...

Re: Authorization Error

Dustin Anderson — Fri, 08 Jun 2018 00:02:26 GMT

OK, I was mis-interpreting, I get what you are saying now.

1: Does authentication show a profile?

I'm not sure what version of ISE you have, I have 2.3, so may be somewhat different.

if you go to work center/Device admin policy sets, you should have the default. I'm assuming you have made a rule under that for the switch to hit. Below is mine for an NX-OS device.

Now, for one of the ones you have without the policy, can you click on the details. Can you post the step data omitting any personal info. An example of mine is below. Do you see it hitting a permit rule?

13005 Received TACACS+ Authorization Request - my.domain

15049 Evaluating Policy Group - networker

15008 Evaluating Service Selection Policy - my.domain

15041 Evaluating Identity Policy - my.domain

22072 Selected identity source sequence - All_User_ID_Stores

15013 Selected Identity Source - my.domain

24432 Looking up user in Active Directory - my.domain

24325 Resolving identity - networker

24313 Search for matching accounts at join point - my.domain

24319 Single matching account found in forest - my.domain

24323 Identity resolution detected single matching account

22037 Authentication Passed

15036 Evaluating Authorization Policy

24432 Looking up user in Active Directory

24325 Resolving identity

24313 Search for matching accounts at join point

24319 Single matching account found in forest

24323 Identity resolution detected single matching account

24355 LDAP fetch succeeded

24416 User's Groups retrieval from Active Directory succeeded

15048 Queried PIP - my.domain.ExternalGroups

15048 Queried PIP - TACACS.User

15048 Queried PIP - DEVICE.Device Type

15048 Queried PIP - Network Access.UserName

15018 Selected Command Set

13024 Command matched a Permit rule

13034 Returned TACACS+ Authorization Reply

Re: Authorization Error

jaert.aguiar — Fri, 08 Jun 2018 00:32:08 GMT

My version is 2.4.

Below, some configurations...

Re: Authorization Error

jaert.aguiar — Fri, 08 Jun 2018 00:34:23 GMT

Below some configurations...

Re: Authorization Error

Dustin Anderson — Fri, 08 Jun 2018 01:03:21 GMT

ok, there are no hits on the rules, and it fails with an invalid request. Sounds like the switch is not sending the request correctly.

What is the switch you are using, what brand and model?

You may want to dry different device and TACACS modes under the ISE network devices.

Re: Authorization Error

jaert.aguiar — Fri, 08 Jun 2018 01:12:05 GMT

The energy substation is using an ethernet switch PCS-9882GD, from NR Company.

This company just implement this TACACS function now and I tested with TACACS.NET server without problems.

But you can be right, they must to check the authorization request.

I will check with others devices.

Thanks a lot for your support.

Re: Authorization Error

Dustin Anderson — Fri, 08 Jun 2018 01:30:08 GMT

No problem, you can maybe also contact NR Company to see if they have implemented TACACS with ISE.