topic Re: tacacs+ authorization in Network Access Control

tacacs+ authorization

adamgibs7 — Fri, 21 Feb 2020 18:55:52 GMT

Dears,

whenever a ISE server fails I am able to login in the switches and firewall but I m not able to change any configuration becz it says me that authorization failed,

so I have to configure the privilege level commands in the switch and firewall also for successful authorization , If so then what is the use of ISE working as central place of authentication & authorization

Thanks

Re: tacacs+ authorization

Francesco Molino — Sat, 12 May 2018 03:44:51 GMT

Hi

What do you mean by you had to configure privilege command on the switch?
Which privilege are you using?
Can you please share your aaa config of the switch for example?

Re: tacacs+ authorization

adamgibs7 — Sat, 12 May 2018 04:38:35 GMT

Dear Francesco

I had not configured any privileges on the switch or firewall, but I want to know do I have to configure in the below situations:

when a ISE fails his reachability to the AD

WHEN the ISE itself is out of the network ( crashed) situation.

Thanks

Re: tacacs+ authorization

Francesco Molino — Sun, 13 May 2018 02:28:10 GMT

Ok got it. Can you please share your switch config?

Re: tacacs+ authorization

adamgibs7 — Sun, 13 May 2018 16:09:07 GMT

Dear

Please find the below config

below config for asa

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (INSIDE) host 1.1.1.
aaa-server RADIUS protocol radius
aaa-server RADIUS (INSIDE) host 1.1.1.1
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server
aaa authentication login-history

below config for switch

sh run | in aaa
aaa new-model
aaa group server tacacs+ xyz
aaa group server radius xyz-ISE
aaa authentication login default group xyz local
aaa authentication login no-auth local
aaa authentication enable default enable
aaa authentication dot1x default group xyz-ISE local
aaa authorization config-commands
aaa authorization exec default group xyz local
aaa authorization commands 1 default group xyz local
aaa authorization commands 15 default group xyz local
aaa authorization network default group xyz-ISE local
aaa accounting dot1x default start-stop group xyz-ISE
aaa accounting exec default start-stop group xyz
aaa accounting commands 1 default start-stop group xyz
aaa accounting commands 15 default start-stop group xyz
aaa server radius dynamic-author

Re: tacacs+ authorization

Francesco Molino — Mon, 14 May 2018 02:36:03 GMT

Can you change your config with following lines and test again please:

aaa authorization exec default group xyz local if-authenticated
aaa authorization commands 1 default group xyz local if-authenticated
aaa authorization commands 15 default group xyz local if-authenticated

Can you share your local user config please?

Try using the following before testing again:

username test privilege 15 secret 0 test

Re: tacacs+ authorization

adamgibs7 — Mon, 14 May 2018 20:20:27 GMT

Dear Francesco

Thanks for the reply

before applying I read the below, also what is the replace of this command in ASA FW

if-authenticated Allows the user to access the requested function if the user is authenticated. The if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated. Using if-authenticated as the first method is equivalent to not having an
authorization if authentication has succeeded.

Re: tacacs+ authorization

Francesco Molino — Tue, 15 May 2018 04:26:10 GMT

Yes that's why it is at the end of each authorization command. Can you share your local user config?

Also when trying while tacacs is down, can you run a debug aaa to see what happens?

Re: tacacs+ authorization

adamgibs7 — Tue, 15 May 2018 19:02:43 GMT

username xyz secret password cisco

can't provide debugs as couldn't able to schedule a downtime

Re: tacacs+ authorization

Francesco Molino — Wed, 16 May 2018 01:29:20 GMT

Ok. how are you testing then tacacs failover to local? When do you have a maintenance window to test it?
Your secret looks weird.
Normally you would use the following command to configure your user:
username xxxx privilege 15 secret xxxxx

Re: tacacs+ authorization

adamgibs7 — Wed, 16 May 2018 04:18:44 GMT

Dear Francesco

username xxxx privilege 15 secret xxxxx

this command will directly land the user in privy 15

thanks

Re: tacacs+ authorization

Francesco Molino — Wed, 16 May 2018 12:00:49 GMT

Yes this is what you want when your tacacs fails?
Otherwise, put it in any other privilege and you'll need to type in enable to move to privilege 15.

Re: tacacs+ authorization

adamgibs7 — Wed, 16 May 2018 19:46:42 GMT

Dear Francesco

The authentication will drop me on privilege mode but when i will execute command it will prompt by authorization failed Hence the if-authentication command will work for switches but what about ASA firewall's ????

thanks

Re: tacacs+ authorization

Francesco Molino — Wed, 16 May 2018 22:42:11 GMT

Normally it should work. Your ise is down and not reachable when you tested right?

Attach your asa and switch config file in text and I'll reproduce your infrastructure in lab to see what's going on

Re: tacacs+ authorization

adamgibs7 — Sat, 19 May 2018 14:04:08 GMT

Dear Francesco

Have already shared the configs in the above post

Thanks

Re: tacacs+ authorization

Francesco Molino — Sun, 20 May 2018 21:04:29 GMT

The config looks like ok but we need to troubleshoot when you've the issue.
Let me know when we can TS your issue in PM. We can do a webex.

Re: tacacs+ authorization

adamgibs7 — Tue, 22 May 2018 19:16:21 GMT

Dear Francesco

I'm in the country with time zone GMT +4, I can arrange according to your timezone, can i know your time zone and are you working for Cisco TAC, i have case opened for the EAP chaining and the TAC is not able to solve since one month has passed, if you are in Cisco TAC i can provide you the case number.

thanks

Re: tacacs+ authorization

Francesco Molino — Thu, 24 May 2018 00:24:41 GMT

I'm not working for Cisco TAC.
I'm also within the same timezone (EST). If you're available this WE, send me a PM and we will do a webex.

Re: tacacs+ authorization

adamgibs7 — Thu, 24 May 2018 20:06:50 GMT

Dears

WebEx will not be possible in EST time hence I don't have full access to the devices, but instead you can instruct me for the future actions that I can be carried out by me,

so you are confirming that with ASA I shld not fall into the case that when the ISE is not reachable and when I m trying to do any changes on the ASA it shld not prompt me with an authorization failed error.

thanks

Re: tacacs+ authorization

Francesco Molino — Thu, 24 May 2018 23:12:09 GMT

Here the config I would do for ASA:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (INSIDE) host 1.1.1.
!
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL --> Do you want serial connections being allowed through tacacs+?
aaa authentication secure-http-client
aaa authentication enable console TACACS+ LOCAL
!
aaa authorization exec authentication-server auto-enable --> is ASA 9.2(1) and above
aaa authorization http console TACACS+ --> If ASA 9.4 and above because since them exec is separated for ASDM from other types of connections.
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa local authentication attempts max-fail 5
aaa authentication login-history

This config should work and not giving you any authorization failure when ISE is down/not reachable.