https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558095#M537865 <HTML><HEAD></HEAD><BODY><P>The ISE 2.0 bug [CSCuy46322&nbsp;&nbsp;&nbsp; DefaultDeny access present in ACS is missing in ISE's TACACS feature] is found with NX-OS and it should already resolve in ISE 2.1.</P><P></P><P>Which Nexus devices did you try? I only have access to N1Kv so I can try that in my lab.</P></BODY></HTML> Wed, 17 Aug 2016 17:44:34 GMT hslai 2016-08-17T17:44:34Z https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558092#M537857 <HTML><HEAD></HEAD><BODY><P>There has been a fundamental issue with ISE TACACS since the start that it doesn't allow us to deny the connection during the Authz phase like ACS did.&nbsp; The main issue here is any users from your identity source is allowed to log into the device.&nbsp; For example if you allow AD as an identity source, ANY AD user can log into your network devices and you have to use other methods like autocommand logout or command authorization to stop them from doing anything.</P><P></P><P>The Deny All Shell Profile was supposed to fix the issue, but it only works for systems that have an exec authorization phase like routers and switches.&nbsp; For systems running Nexus OS the user still gets in.&nbsp; </P><P></P><P>Seems to me like the main issue is the ISE decouple the authentication phase from the authorization phase something I don't believe ACS did (but could be wrong) and something RADIUS doesn't have a concept of.&nbsp; </P><P></P><P>Let me know if there is a clean way to fix this. </P></BODY></HTML> Wed, 17 Aug 2016 16:55:05 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558092#M537857 paul 2016-08-17T16:55:05Z https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558093#M537861 <HTML><HEAD></HEAD><BODY><P>If your ISE 2.1 upgraded from ISE 2.0, then you might have hit this bug:</P><P></P><P>CSCva04654&nbsp;&nbsp;&nbsp; Restore/Upgrade of ISE 2.0 to 2.1 Removes Default DenyShell Profile</P><P></P><P>We are addressing it in the upcoming patch.</P><P></P><P>If that is not the case, please give more details or open a TAC case.</P></BODY></HTML> Wed, 17 Aug 2016 17:24:53 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558093#M537861 hslai 2016-08-17T17:24:53Z https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558094#M537863 <HTML><HEAD></HEAD><BODY><P>Yes we have seen this bug on our upgrades.&nbsp; The deployment I am working on is a fresh 2.1 build and the Deny All Shell Profile is there.&nbsp; I guess the title of my post may be misleading.&nbsp; I am not saying the Deny All Shell Profile doesn't work I am saying it only works if the authentication device has an exec shell authorization phase.&nbsp; Nexus OS doesn't have an exec shell authorization phase like switches and routers do, i.e there is no "aaa authorization exec default group ISE-TACACS if-authenticated" on the Nexus.&nbsp; You only have the following:</P><P></P><P>US-DCPR-CS02(config)# aaa authorization ?</P><P>&nbsp; commands&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Authorization for all exec-mode commands</P><P>&nbsp; config-commands&nbsp; Authorization for config commands</P><P></P><P>Without a exec shell authorization phase the Deny All Shell Profile work around doesn't work.&nbsp; </P><P></P><P>I don't remember any of this being an issue in ACS.&nbsp; </P></BODY></HTML> Wed, 17 Aug 2016 17:33:33 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558094#M537863 paul 2016-08-17T17:33:33Z https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558095#M537865 <HTML><HEAD></HEAD><BODY><P>The ISE 2.0 bug [CSCuy46322&nbsp;&nbsp;&nbsp; DefaultDeny access present in ACS is missing in ISE's TACACS feature] is found with NX-OS and it should already resolve in ISE 2.1.</P><P></P><P>Which Nexus devices did you try? I only have access to N1Kv so I can try that in my lab.</P></BODY></HTML> Wed, 17 Aug 2016 17:44:34 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558095#M537865 hslai 2016-08-17T17:44:34Z https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558096#M537868 <HTML><HEAD></HEAD><BODY><P>Nexus 7K and MDS 9148</P><P></P><P>Here is the MDS login from a local user not in one of the allowed MDS admin groups:</P><P></P><P>login as: testuser</P><P>User Access Verification</P><P>Using keyboard-interactive authentication.</P><P>Password:</P><P>Cisco Nexus Operating System (NX-OS) Software</P><P>&lt;removed the TAC and license verbiage&gt;</P><P>US-DCPR-MDS-A#</P><P></P><P>You can see the in the logs below I am clearly getting denied in the authorization phase, but I am at the # prompt of the MDS&gt;<IMG alt="TACACS Logs.JPG" class="image-1 jive-image" src="/legacyfs/online/fusion/99503_TACACS Logs.JPG" style="height: 30px; width: 620px;" /></P></BODY></HTML> Wed, 17 Aug 2016 18:01:34 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558096#M537868 paul 2016-08-17T18:01:34Z https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558097#M537871 <HTML><HEAD></HEAD><BODY><P>I am seeing the same problem on my ISE 2.1 and N1Kv so have asked our engineering teams to investigate. One workaround I have right now is to use ISE as a RADIUS token server and define a <STRONG>RADIUS</STRONG> policy set to deny access by default unless matching specific user groups. Additionally, a NAD created for ISE itself with the same shared secret as the token server object.</P><P><IMG alt="Screen Shot 2016-08-17 at 5.13.16 PM.png" class="image-1 jive-image" src="/legacyfs/online/fusion/99501_Screen Shot 2016-08-17 at 5.13.16 PM.png" style="height: 249px; width: 620px;" /></P><P></P><P>Then, update the T+ policy set for NX-OS to use this loop-back RADIUS token server as the identity source, instead.</P></BODY></HTML> Thu, 18 Aug 2016 00:16:03 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558097#M537871 hslai 2016-08-18T00:16:03Z https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558098#M537873 <HTML><HEAD></HEAD><BODY><P>Thanks. I have used the RADIUS callback trick for portal AD group enforcement. In this case I am doing command authorization on the MDS and Nexus switches so even though the user gets in they can’t do anything. I was bring this up as a discussion to point out that the deny during authorization is not working right on all platforms.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 18 Aug 2016 14:12:19 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-deny-all-shell-profile-still-not-working-correctly/m-p/3558098#M537873 paul 2016-08-18T14:12:19Z