topic Re: Cisco ISE 3.0, LDAP integration and access to network devices. in Network Access Control

Cisco ISE 3.0, LDAP integration and access to network devices.

fomin.v87 — Fri, 11 Mar 2022 10:36:41 GMT

Hello,

I need to configure authorization and authentication for particular AD groups on Cisco Nexus devices. Now I've configured LDAP integration and I can retrieve groups from AD, but I can't find the way how users from this grops could be allowed for access to network devices.

I suppose that I need to configure Device Admin Policy Sets, but I don't know the right way to do this. Now only Cisco ISE local users which was created in Identities >> Network Access Users section can be authozired and can authenticate to network devices, on Cisco switches I've configured tacacs.

Re: Cisco ISE 3.0, LDAP integration and access to network devices.

Marvin Rhoads — Fri, 11 Mar 2022 12:50:55 GMT

Add an Authorization rule with the conditions being that the authenticated users is a member of the desired group and the result being allowed access at the desired level.

More details can be found here:

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

...specifically this section:

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--1599341345

Re: Cisco ISE 3.0, LDAP integration and access to network devices.

fomin.v87 — Fri, 11 Mar 2022 13:50:05 GMT

Even though I've done this policy, I can't connect to network devices via SSH by user from this group. And as you see, there are no hits.

Re: Cisco ISE 3.0, LDAP integration and access to network devices.

fomin.v87 — Thu, 17 Mar 2022 13:48:34 GMT

It seems that ISE doesn't try to check LDAP identity source based on logs, maybe you know something about this issue?

I see this is reports, when I try to connect to Cisco Device.

And I didn't see trying to look in LDAP identity source mgmt.sbcp.ru

13013	Received TACACS+ Authentication START Request
 	15049	Evaluating Policy Group
 	15008	Evaluating Service Selection Policy
 	15048	Queried PIP - DEVICE.Device Type
 	15041	Evaluating Identity Policy
 	22072	Selected identity source sequence - All_User_ID_Stores
 	15013	Selected Identity Source - Internal Users
 	24210	Looking up User in Internal Users IDStore
 	24216	The user is not found in the internal users identity store
 	15013	Selected Identity Source - All_AD_Join_Points
 	13045	TACACS+ will use the password prompt from global TACACS+ configuration
 	13015	Returned TACACS+ Authentication Reply
 	13014	Received TACACS+ Authentication CONTINUE Request
 	15041	Evaluating Identity Policy
 	22072	Selected identity source sequence - All_User_ID_Stores
 	15013	Selected Identity Source - Internal Users
 	24210	Looking up User in Internal Users IDStore
 	24216	The user is not found in the internal users identity store
 	15013	Selected Identity Source - All_AD_Join_Points
 	24430	Authenticating user against Active Directory - All_AD_Join_Points
 	24325	Resolving identity - INVALID
 	24313	Search for matching accounts at join point - msk.sbcp.ru
 	24366	Skipping unjoined domain - msk.sbcp.ru
 	24322	Identity resolution detected no matching account
 	24352	Identity resolution failed - ERROR_NO_SUCH_USER
 	24412	User not found in Active Directory - All_AD_Join_Points
 	15013	Selected Identity Source - Guest Users
 	24631	Looking up User in Internal Guests IDStore
 	24633	The user is not found in the internal guests identity store
 	15013	Selected Identity Source - Internal Users
 	24210	Looking up User in Internal Users IDStore
 	24216	The user is not found in the internal users identity store
 	15013	Selected Identity Source - All_AD_Join_Points
 	24430	Authenticating user against Active Directory - All_AD_Join_Points
 	24325	Resolving identity - INVALID
 	24313	Search for matching accounts at join point - msk.sbcp.ru
 	24366	Skipping unjoined domain - msk.sbcp.ru
 	24322	Identity resolution detected no matching account
 	24352	Identity resolution failed - ERROR_NO_SUCH_USER
 	24412	User not found in Active Directory - All_AD_Join_Points
 	15013	Selected Identity Source - Guest Users
 	24631	Looking up User in Internal Guests IDStore
 	24633	The user is not found in the internal guests identity store
 	22016	Identity sequence completed iterating the IDStores
 	22056	Subject not found in the applicable identity store(s)
 	22058	The advanced option that is configured for an unknown user is used
 	22061	The 'Reject' advanced option is configured in case of a failed authentication request
 	13015	Returned TACACS+ Authentication Reply

Re: Cisco ISE 3.0, LDAP integration and access to network devices.

fomin.v87 — Thu, 17 Mar 2022 14:49:20 GMT

Ok, I realize that I should create Authentication policy with my LDAP "mgmt.sbcp.ru"

But when I try to save policy, the error has occurred.

What condition shoud I use in this policy?

Re: Cisco ISE 3.0, LDAP integration and access to network devices.

Marcelo Morais — Fri, 18 Mar 2022 09:42:53 GMT

Hi @fomin.v87 ,

you need to configure at least one Condition.

Hope this helps !!!

Re: Cisco ISE 3.0, LDAP integration and access to network devices.

Greg Gibbs — Sun, 20 Mar 2022 23:28:05 GMT

With Device Admin (TACACS+), I typically use separate Device Admin Policy Sets for each distinct device type (switches/routers, WLCs, Firewalls, etc), so there is not much value in creating a unique AuthC Policy with a simple condition like 'Network Access - Protocol = TACACS+'

Instead, I typically just use the Default AuthC Policy and configure my Identity Source there.

Example: