topic Re: AAA issues for ISE tacacs server in Network Access Control

AAA issues for ISE tacacs server

xili5 — Sat, 23 Dec 2017 09:50:42 GMT

Hi experts,

I worked on ISE2.2 tacacs configuration for customer and have two issues below.

1. I assign "network-operator" role to specific AD group users by TACACS profiles. The user is assigned "network-operator" role successfully when login to nexus device, but still can execute all commands. When I disconnected TACACS server, user is authenticated and authorized locally and network-operator user has read-only permission correctly. Below is configuration.

aaa authentication login default group ise

aaa authentication login console group ise none

aaa authorization config-commands default group ise local

aaa authorization commands default group ise local

aaa accounting default group ise

2. "aaa authorization exec authentication-server auto-enable" is used for ASA AAA configuration. User through ssh session can enter exec mode(#) directly when assigned privilege 15 to this user. But the same user through console session only enter user mode(>).Below is configuration.

aaa authentication ssh console ise LOCAL

aaa authentication serial console ise LOCAL

aaa authentication enable console ise LOCAL

aaa authorization command ise LOCAL

aaa accounting command ise

aaa authorization exec authentication-server auto-enable

I am not sure if I miss something for those two issues.

br,

Martin

Re: AAA issues for ISE tacacs server

Nidhi — Sat, 23 Dec 2017 14:33:41 GMT

you might want to follow this link - How To: ISE TACACS+ Configuration for ASA Network Devices.

Let me know if this helps.

Thanks,

Nidhi

Re: AAA issues for ISE tacacs server

xili5 — Tue, 26 Dec 2017 02:07:47 GMT

Hi Nidhi,

Thank you for your document. But it does not resolve my two issues. Yesterday I tried again on Nexus 3K and 1000v for my first issue, ASA5585 and ASAv for my second issue, the result is the same.

Re: AAA issues for ISE tacacs server

hslai — Tue, 26 Dec 2017 02:25:07 GMT

T+ command authorization is optional for both types of devices.

For NX-OS, if you want to use the user roles only, then remove the two lines "aaa authorization config-commands ..." and "aaa authorization commands ...". If you want ISE to perform T+ command authorization, then create the command sets and add them to the T+ authorization policy rules.

Similar applied to ASA CLI. If you want "local", then use "aaa authorization command LOCAL" (with ise in it).

As to your point #2, the "EXEC Authorization" (aka the aut-enable option) in ASA is for SSH/Telnet (TTY/VTY) accesses only. That is why console login does not go directly to EXEC.

Re: AAA issues for ISE tacacs server

xili5 — Tue, 26 Dec 2017 04:10:07 GMT

Hi Lai,

Thank you for clarification.