topic Re: 13036 Selected Shell Profile is DenyAccess in Network Access Control

13036 Selected Shell Profile is DenyAccess

deepakramanath — Mon, 27 Nov 2017 05:57:49 GMT

Hi All,

Subsequent to my earlier question, I have managed a Avaya switch talk to the CISCO ISE 2.3 Tacacs+ server. When I try logging into the switch, the access is basically denied with the message "Permission denied, please try again".

In the CISCO ISE Tacacs+ logs, I could look at the steps that have been performed and where the access gets failed. The step that its failing is: 13036 Selected Shell Profile is DenyAccess

I have been searching on Google for this 13036 and DenyAccess, but haven't been able to successfully troubleshoot.

Any help in this regard would be highly appreciated.

Re: 13036 Selected Shell Profile is DenyAccess

kthiruve — Mon, 27 Nov 2017 21:05:06 GMT

Hi Deepak,

Please check the authentication policy and authorization policy.

In the authorization policy, make sure you allow access in your policy via shell profile. If authentication fails then you will get deny access as well.

Please check out ISE Device Administration (TACACS+)

for detailed information how to configure ISE for TACACS+.

Thanks

Krishnan

Re: 13036 Selected Shell Profile is DenyAccess

deepakramanath — Mon, 27 Nov 2017 23:23:11 GMT

Hi Krishnan,

Thanks for your response. Since I am very new to ISE, I will provide a brief of what I have configured for AA. Please do feel free to correct me.

In the Device Administration -> Policy Elements -> Results -> TACACS Profiles, I have created a new one, called TACACS Profile. In here, I have chosen Common Task Type to be Shell and both Default Privilege and Maximum Privilege to be 15

In the Device Administration -> Policy Elements -> Results -> TACACS Command Sets, I have created a new one, called TACACS Command Sets and I have ticked the option, "Permit any command that is not listed below"

In the Policy -> Policy Sets, I have created two policies as listed below:

Policy Name: Wired-Avaya-Switch

Conditions: DEVICE.Device Type = All Devices Types#Avaya Switch

Allowed Protocols: avaya-switch

Policy Name: Avaya-Switch-Location

Condition: DEVICE.Location = All Locations#Avaya-Switch-Location

Allowed Protocols: avaya-switch

Please note that the avaya-switch protocol has the following Authentication Protocols Enabled:

Allow PAP/ASCII, Allow CHAP, Allow MS-CHAPv1

I'm not exactly sure where I can specify the shell profile access for authorisation as you have suggested.

Thanks

Deepak

Re: 13036 Selected Shell Profile is DenyAccess

deepakramanath — Tue, 28 Nov 2017 04:45:02 GMT

Hi Krishnan,

I have figured out where the authorisation policies can be specified (via the view option in the policy set). Now, I can allow or deny a shell access for a internal user.

The second issue that I'm facing now is, to provide limited shell access to a particular user. To test this scenario, I firstly created a Guest-User identity group and added a guest user (Eg, Guest_User1)

Next, I created a TACACS+ command set (TACACS-Guest-Command-Set) with Grant: PERMIT -> Command: ping. Haven't ticket the option "Permit any command that is not listed below). I believe with this, the Guest_User1 when associated with TACACS-Guest-Command-Set in policy should be able to access only ping.

Next, I created a TACACS Profile (TACACS_Profile_Guest). Here, common task as shell with Default Privilege: 1 and Maximum Privilage: 15

Now I go the policy set that works, under which, I create a new authorisation policy as follows:

Rule Name: Guest-User

Conditions: IdentityGroup = User Identity Groups: Guest-User

Command Sets: TACACS-Guest-Command-Set

Shell Profiles: TACACS_Profile_Guest

The authentication is successful for the Guest_User1, while the authorisation does not seem to block all the commands expect ping. I can basically run all of them.

Any reason why this might be happening?

Thanks

Deepak

Re: 13036 Selected Shell Profile is DenyAccess

ognyan.totev — Tue, 28 Nov 2017 09:59:38 GMT

I think here is the key :