topic Re: User Active in AD group in Network Access Control

User Active in AD group

lanagna — Thu, 07 Mar 2024 18:37:38 GMT

Hi Team, Need clarity for the below scenarios.,

Common input: User abcd got added into AD groups and have both Read only/write permission

Scenario1:User abcd logged in to switch and the session got established, while the user READ a file and performed some activity, by this time user got removed from the Read-only group, since the session is enabled still user can able to perform the Read access inside the active session.

Scenrio2:User abcd logged in to switch and the session got established, while the user READ a file and performed some activity, by this time user got removed from the Read-only group, since the session is enabled still user can able to perform the Read access inside the active session.

Understanding: Since the session is active in both scenarios, it is expected if user try for Read-only but the other thought, when the user got removed from the AD groups it has to auto-exit.

Please confirm the same. Thanks!

Re: User Active in AD group

balaji.bandi — Thu, 07 Mar 2024 19:00:24 GMT

Good question - i have never come across this situation to be honest - the user fired in 1min of time. (that is different use case)

depends on how you configured on the ISE - if you have Authorization cache timeout 0 - then each authorization need to validate against ID source (as per my understanding)

In that user which is not valid, get authorization error. (this is my understand)

Since ISE does not hold any cache of user information as per 3.0 version. ( 3.2 or 3.3 may have different - but not that i am aware.)

Re: User Active in AD group

lanagna — Fri, 08 Mar 2024 11:43:05 GMT

Thanks for the input and views.

Re: User Active in AD group

thomas — Fri, 08 Mar 2024 22:08:35 GMT

As @balaji.bandi said, authentication is separate from authorization. There is no protocol or update mechanism for AD to callback to ISE or the switch (which AD knows nothing about) to say "the user permissions have changed, please invalidate your cache".

Re: User Active in AD group

lanagna — Mon, 11 Mar 2024 10:57:07 GMT

Thanks @thomas for briefing the query with additional inputs. Here I had a typo in the scenario2 which has to actual Read-write[changed below and marked additional query]., So the above input is applicable for Read-Write also or it will differ - when the user establishes the session and writes some config??

Scenrio2: User abcd logged in to switch and the session got established, while the user a file and performed some activity, by this time user got removed from the Read-Write group, Note: Once Read-write permission was removed for the active user it is getting reflected immediately in active session. i.e. If I'm the user I can't able to perform any write actions.

Scenario1: User abcd logged in to switch and the session was established, while the user READ a file and performed some activity, by this time user was removed from the Read-only group, since the session is enabled still user can able to perform the Read access inside the active session.

Re: User Active in AD group

thomas — Mon, 11 Mar 2024 17:57:36 GMT

See the > Figure 7 TACACS Flow with AAA

Notice how a single authentication occurs followed by multiple authorizations. This is because ISE has already authenticated the user against the identity store for their group membership and privilege level so when additional command authorization requests come in there is no authentication - only authorization - against the TACACS+ Command Sets. ISE will not re-authenticate the user against the identity store for the remainder of that session on that network device.

Re: User Active in AD group

lanagna — Thu, 14 Mar 2024 18:47:29 GMT

Thanks @thomas for the more input