topic Unable to see enforce command sets using cisco ISE device admin demo in Network Access Control

Unable to see enforce command sets using cisco ISE device admin demo

henry chrizostom — Wed, 09 Aug 2023 04:25:27 GMT

I am doing evaluation for the cisco ISE device admin demo license, but users are able to authenticate properly and hit proper authorization policy but i can't enforce restrictions using command sets in the authorization policy

*************my switch config

aaa new-model
aaa group server tacacs+ eh_group
server name EH
ip tacacs source-interface Vlan1
aaa authentication login ehgroup group eh_group local
aaa authentication enable default group eh_group enable
aaa authorization config-commands
aaa authorization exec ehgroup group eh_group local if-authenticated
aaa authorization commands 0 ehgroup group eh_group local if-authenticated
aaa authorization commands 1 ehgroup group eh_group local if-authenticated
aaa authorization commands 7 ehgroup group eh_group local if-authenticated
aaa authorization commands 15 ehgroup group eh_group local if-authenticated
aaa accounting exec ehgroup start-stop group tacacs+ group eh_group
aaa accounting commands 0 ehgroup start-stop group eh_group
aaa accounting commands 1 ehgroup start-stop group eh_group
aaa accounting commands 15 ehgroup start-stop group eh_group

line vty 0 4
exec-timeout 300 0
authorization commands 0 ehgroup
authorization commands 1 ehgroup
authorization commands 15 ehgroup
authorization exec ehgroup
accounting commands 0 ehgroup
accounting commands 15 ehgroup
login authentication ehgroup

Re: Unable to see enforce command sets using cisco ISE device admin de

Milos_Jovanovic — Wed, 09 Aug 2023 11:36:41 GMT

Hi @henry chrizostom,

Your configuration looks fine to me. However, report you are checking is about authentication. Please try and check TACACS Authorization report, where you would see which shell profile and command set were assigned to specific session. Based on that, it should be clear to you what is going on.

Kind regards,

Milos

Re: Unable to see enforce command sets using cisco ISE device admin de

jovinco25 — Wed, 09 Aug 2023 19:02:44 GMT

Thank you for your response. I am unable to locate any authorization logs in the Cisco ISE portal, which is unusual. I don't understand why I can't see authorization logs even though I've verified all the configurations are correct.

could it be the reason that I am using the Cisco ISE device admin demo license?

Re: Unable to see enforce command sets using cisco ISE device admin de

Milos_Jovanovic — Wed, 09 Aug 2023 19:48:17 GMT

Hi @jovinco25,

No, I don't think it has anythng to do with demo mode, as it is intended to provide every functionality, for a limited number of users and time.

Are you sure you are logging under lines 0-4? Could it be all of those are taken, and you are testing under 5-15?

Kind regards,

Milos