topic Re: Cisco Device admin policy set using RSA as external ID source in Network Access Control

Cisco Device admin policy set using RSA as external ID source

stuartcross — Fri, 05 May 2023 13:18:57 GMT

Trying to configure a device admin policy set for TACACS plus, using RSA to authenticate. I can get the Authentication to work and I see ISE talking to RSA in the tacacs logs and authenticating ok, however the authorization fails and says there is no user in the selected identity store. How can I configure the authorization part of the policy?

Thanks

Re: Cisco Device admin policy set using RSA as external ID source

M02@rt37 — Fri, 05 May 2023 13:24:16 GMT

Hello @stuartcross,

To configure the authorization part of the device admin policy set for TACACS+, you need to define the authorization profile and authorization rules in Cisco ISE.

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010011.html.xml

=> Manage Authorization Policies and Profiles

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Fri, 05 May 2023 13:59:06 GMT

No that's not an answer to my question.

Re: Cisco Device admin policy set using RSA as external ID source

M02@rt37 — Fri, 05 May 2023 14:15:18 GMT

OK @stuartcross,

Do you have configured the necessary identity store in ISE to retrieve user information ? This identity store can be an Active Directory server, LDAP server, or other external databases.

Do you have created authorization rules that specify the privileges or permissions that are granted to authenticated users. These rules can be based on attributes such as user groups, network device type, and time of day.

Re: Cisco Device admin policy set using RSA as external ID source

MHM Cisco World — Fri, 05 May 2023 14:25:27 GMT

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

This what you need for admin?

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Fri, 05 May 2023 14:37:19 GMT

Of course. RSA has been configured and added to the DEvice admin policy. If you read my initial post, you will see that, and that I state this part works correctly. However, the authorization part fails, because it says it cannot find the user in the identity store, despite finding it in the authentication profile, and validating my credentials when I entered them.

What I need to know is how to get the authorization part to work correctly in the device admin policy set.

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Fri, 05 May 2023 14:38:25 GMT

I have got TACACS working using Cisco AD. However, this is for RSA, and so far I cannot get it to work the same as AD does.

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Fri, 05 May 2023 14:51:31 GMT

AS you can see here. When I enter my RSA username and passcode, it is successful.

"A session is established with the RSA SecurID Server - RSA "
"Check passcode operation succeeded - RSA SecurID"
"User authentication has succeeded - RSA"

However, the authorization fails

15013 Selected Identity Source - RSA SecurID
22056 Subject not found in the applicable identity store(s)

Re: Cisco Device admin policy set using RSA as external ID source

Nancy Saini — Fri, 05 May 2023 17:00:22 GMT

Could you share the detailed authentication report from ISE? Also, share the screenshot of the authentication and authorization policy that it should hit such that the options part of the authentication policy is visible.

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Sat, 06 May 2023 12:10:30 GMT

Hi,

I managed to get this working now by changing the options for "if user not found" to "continue". What I don't understand is if it finds my user in RSA and authenticates me using my passcode, why does it then say user not found in identity store.

Thanks

Re: Cisco Device admin policy set using RSA as external ID source

Nancy Saini — Sat, 06 May 2023 17:26:34 GMT

Seems like ISE is treating rejects from RSA server as "User not found" due to below configuration.

Check on the RSA server why it is sending reject to ISE

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Sun, 07 May 2023 10:02:16 GMT

I checked RSA logs and it is passing my authentication, and you see that in the ISE tacacs live log. I don't believe it is sending rejects. Also under the RSA config, I do not have it set to treat rejects as "user not found". However, changing the options to continue is allowing me to access the router.

Re: Cisco Device admin policy set using RSA as external ID source

thomas — Sun, 07 May 2023 15:45:37 GMT

Show us your actual policy and your actual error message(s).

It's is very hard to comment or make suggestions on "authorization fails and says there is no user in the selected identity store".

We don't know what you are doing or how you are doing it.

See

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Tue, 09 May 2023 08:27:44 GMT

Its a simple policy. If a switch tacacs request is received, then use RSA identity source. I can see my authentication happening in the RSA logs and passing ok. From here it's then meant to just give me access to priv15 in the ISE authorization part of the policy. This wasn't working, but now does since I changed the options to "continue" if "user not found"

The error I already posted above, it comes from the authorization report (authentication report is good and shows successful RSA authentication). The two lines from the error report are.

15013 Selected Identity Source - RSA SecurID
22056 Subject not found in the applicable identity store(s)

Do you need more than that?

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Tue, 09 May 2023 11:35:03 GMT

Added the report. The authentication showing RSA authentication working fine. The authorization showing user not found but now using advanced options setting to continue.

Re: Cisco Device admin policy set using RSA as external ID source

poongarg — Wed, 10 May 2023 04:24:14 GMT

Kindly download the complete report for working and non-working scenario and attach it as just screenshots of the report will not help much. Also attach the complete authentication and authorization policy details for matching policy.

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Wed, 10 May 2023 09:01:40 GMT

Hi, The tacacs reports do not give you any detailed information. Only a CSV outlining the attempts and if they failed or passed. Is there a way I can download the the detailed report?

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Wed, 10 May 2023 11:14:11 GMT

Also, just to add, this does not happen if I use AD as the external ID source. Only when using RSA, so maybe a symptom of using RSA as the external ID source, as it doesn't share the username with ISE, unlike AD?

Re: Cisco Device admin policy set using RSA as external ID source

poongarg — Wed, 10 May 2023 12:07:38 GMT

You need to press CTRL+P to print the report. Also need to see the AuthC and AuthZ policies configured for this authentication.

Re: Cisco Device admin policy set using RSA as external ID source

stuartcross — Wed, 10 May 2023 12:28:34 GMT

Hi, I'm slightly uncomfortable about posting our policy on a public forum, is there a more secure method?