topic Re: ISE 2.1.0 TACACS command sets issue in Network Access Control

ISE 2.1.0 TACACS command sets issue

n-russell-biggie — Fri, 21 Feb 2020 18:38:27 GMT

Hello,

I have created the below tacacs command set in ISE.

When testing I am able to issue the commands conf t and exit but I can not run any show commands. I was intending to deny "show version" and then permit any other show commands but for some reason all "show" commands are being denied.

I moved the permit s*w .* above the deny show v* and all worked fine. I was under the impression that the way I have set this up in the screenshot then after issuing a "show run" it would skip past the deny show v* and be permitted by the permit s*w .*

Can anyone see if I am making an obvious error?

Thanks

Nick

Re: ISE 2.1.0 TACACS command sets issue

n-russell-biggie — Tue, 07 Nov 2017 18:12:57 GMT

I have now patched this to patch level six in the hope that it is possibly a bug. Still the same results.

Re: ISE 2.1.0 TACACS command sets issue

Arne Bier — Tue, 07 Nov 2017 23:57:05 GMT

Hi Nick

Very good question. I hadn't noticed this before. And I am keen to get a Cisco response on this. I am still on ISE 2.2 patch 2 and upgrading to ISE 2.3 patch 1 tomorrow. My experience with the TACACS functionality has been not so good - I have had issues were the PAN no longer sent the TACACS programming to the PSN nodes. I configured the he&*% out of the Policy Sets and none of it landed on the PSNs! Only after restarted the PAN, my PSN's got programmed again.

I tried the stuff below and no matter which way around I put the sh commands, I cannot execute the logic you want. I.e when I have it as shown below, then

show run fails

show ver fails

When I have it as follows

then

show run passes

show ver passes

How bizarre.

Re: ISE 2.1.0 TACACS command sets issue

n-russell-biggie — Wed, 08 Nov 2017 07:45:55 GMT

Thank you for your response Arne. It would be interesting to get Cisco’s response to this. Logically the command set should block sh version and allow show run but as we see, this is not the case.

Thanks
Nick

Re: ISE 2.1.0 TACACS command sets issue

dacabrer — Sun, 12 Nov 2017 03:04:10 GMT

Hey Nick/Arne,

Looks like ISE is not able to match "version" using the regexp v* or ve* but it works with ver*. Same with run* instead of r* or ru*.

I am not sure if this has already been documented as a defect (I will double check). In the meantime, if you edit your argument for ver* everything should work.

Best regards,

dacabrer

Re: ISE 2.1.0 TACACS command sets issue

Arne Bier — Tue, 14 Nov 2017 00:25:42 GMT

This discussion was continued over at the Cisco Communities Forum for ISE, and I wrote some updates there

https://communities.cisco.com/message/273751#273751

Bottom line is, that the documentation is quite clear about the behaviour, but it is buried deep in the 1200 page manual. I show some examples of how it works in the Communities post.