topic Re: ISE - AD & Internal User Access for the same device in Network Access Control

ISE - AD & Internal User Access for the same device

robad — Sun, 01 Aug 2021 06:18:30 GMT

Hi Team,

I'm having some issue that I'm almost sure that I've succeeded with it in the past.

We have a device type "x", and we want the following thing :

1. Admins user [an AD group] - will have privilege 15

2. Internal User "user" - will be able to run only specific command [we've created the command set "command"]

I can't find/think on a way, that in the same "Device Admin Policy Set"

What Am I doing wrong ? and how can I solve it please

Thanks in advance

Re: ISE - AD & Internal User Access for the same device

balaji.bandi — Sun, 01 Aug 2021 10:33:46 GMT

You need to look command set :

Work Centers > Device Administration > Policy Results > TACACS Command Sets

below document help you : (Let us know if this is not the case or am I miss understood your requirement ?)

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-device-admin

Re: ISE - AD & Internal User Access for the same device

robad — Sun, 01 Aug 2021 11:36:43 GMT

Hi, and thanks for your reply.

But, It's not what I've asked for.

We already have a command set for the internal user.

We need that for the same device, there will be an option the users from External ID Source [AD] and Internal ISE Users will be able to login.

Re: ISE - AD & Internal User Access for the same device

balaji.bandi — Sun, 01 Aug 2021 12:25:53 GMT

Personally, I do not believe that Device can do both, there is only Option First one, and if that fails to the second one.

Identity Source Sequence that will contain AD groups and if needed any local accounts on ISE (in the event that AD can’t be reachable or failed, you have a local ISE account to log into your equipment).

Re: ISE - AD & Internal User Access for the same device

Amine ZAKARIA — Sun, 01 Aug 2021 16:18:33 GMT

Hello,

From my understanding you want on the same policy to authenticate and differentiate the authorization between AD Users and ISE Internal Users.(The AD User should not be the same as the ISE internal User).

First you need to create an Identity Source Sequence (Administration Identity -> Identity Management -> Identity Source Sequences)

Under the Authentication Policy choose the Identity sequence you have created :

And under Authorization policy should be like this :

Re: ISE - AD & Internal User Access for the same device

robad — Mon, 02 Aug 2021 07:03:12 GMT

Hi Amine

Thanks ! It's getting closer for solution.

Now I'm able to login with both AD user & Internal User

But, for some reason, the Command Sets are not taking any effect. i.e, the users can login but they have priv 15, and not only the "clear line" command set...

Do you have any Idea why ?

BTW -

In other Policy Sets it's working. the "users" can login and get only "clear line" command set, and admins getting all command.

The only change is that in the other Policy Sets, the "users" are from the same Identity Source as the admins [AD].

Attached the Policy Set + The TACACS Log

Re: ISE - AD & Internal User Access for the same device

robad — Mon, 02 Aug 2021 07:37:59 GMT

*********

Update

*********

IT IS WORKING !

I've noticed that something is wrong only with a specific Terminal Server.

There was one command that was missing :

aaa authorization commands 15 default local group tacacs+

and that's it now it's working !

thanks

Re: ISE - AD & Internal User Access for the same device

balaji.bandi — Mon, 02 Aug 2021 09:43:16 GMT

aaa authorization commands 15 default local group tacacs+

Sure this make sense - this will do first Local and TACACS later.