topic Re: CiscoISE policy applying on switch problem in Network Access Control

CiscoISE policy applying on switch problem

mitros — Mon, 22 Apr 2024 07:07:03 GMT

Hello,

I have a problem with applying policies from CiscoISE 3.2 on switch C3750. It simply doesn't stop the unauthenticated users from logging in to switch, nor it prevent commands that are forbidden by the created policy.

In Live Logs I can see that CiscoISE recognizes not allowed attempt, it gives a red status and describes that authentication (or authorization) failed, but I can still do whatever I want on the switch.

As You can see, it throws "Command failed to match a Permit rule" but switch execute it anyway. Same with "INVALID" identity, it fails to authenticate, but the switch let it log in successfully...

Could You please give me advice what could be misconfigured when it acts like this.

TIA

Re: CiscoISE policy applying on switch problem

MHM Cisco World — Mon, 22 Apr 2024 07:09:28 GMT

Share the config in SW'

The aaa and vty line

MHM

Re: CiscoISE policy applying on switch problem

mitros — Mon, 22 Apr 2024 09:29:24 GMT

aaa group server tacacs+ TACACS-SERVERS
server 192.168.2.25
ip vrf forwarding MGMT
!
aaa authentication login default group TACACS-SERVERS local
aaa authentication login VTY group TACACS-SERVERS local
aaa authentication login CONSOLE local
aaa authentication enable default enable
aaa authentication dot1x default group tacacs+
aaa authorization config-commands
aaa authorization exec VTY group TACACS-SERVERS local if-authenticated
aaa authorization exec CONSOLE local
aaa authorization commands 0 VTY group TACACS-SERVERS local if-authenticated
aaa authorization commands 1 VTY group TACACS-SERVERS local if-authenticated
aaa authorization commands 15 VTY group TACACS-SERVERS local if-authenticated
aaa authorization network default group tacacs+
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group TACACS-SERVERS
aaa accounting commands 0 default start-stop group TACACS-SERVERS
aaa accounting commands 1 default start-stop group TACACS-SERVERS
aaa accounting commands 15 default start-stop group TACACS-SERVERS
aaa accounting system default start-stop group TACACS-SERVERS
!

!
line con 0
logging synchronous
login authentication CONSOLE
stopbits 1
line vty 0 4
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
transport preferred none
transport input ssh
line vty 5 15
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
transport preferred none
transport input ssh
!

Re: CiscoISE policy applying on switch problem

MHM Cisco World — Mon, 22 Apr 2024 09:31:53 GMT

Since you change the auth from default to VTY

You need to specify that under vty lines

MHM

Re: CiscoISE policy applying on switch problem

Aref Alsouqi — Mon, 22 Apr 2024 09:50:42 GMT

The line should already take care of that "aaa authentication login default group TACACS-SERVERS local".
.

Re: CiscoISE policy applying on switch problem

Aref Alsouqi — Mon, 22 Apr 2024 09:51:53 GMT

Your shared configs look good to me. Please share the TACACS command sets and authorization policies from ISE for review.

Re: CiscoISE policy applying on switch problem

MHM Cisco World — Mon, 22 Apr 2024 09:54:14 GMT

Change the Auth method from defualt to VTY under vty line' the exec level is send in auth process.

MHM

Re: CiscoISE policy applying on switch problem

mitros — Mon, 22 Apr 2024 10:54:44 GMT

Revised aaa, and vty:

aaa group server tacacs+ TACACS-SERVERS
server 192.168.2.25
ip vrf forwarding MGMT
!
aaa authentication login VTY group TACACS-SERVERS local
aaa authentication enable default enable group tacacs+
aaa authentication dot1x default group tacacs+

aaa authorization config-commands
aaa authorization exec VTY group TACACS-SERVERS local
aaa authorization exec CONSOLE local
aaa authorization commands 0 VTY group TACACS-SERVERS local
aaa authorization commands 1 VTY group TACACS-SERVERS local
aaa authorization commands 15 VTY group TACACS-SERVERS local
aaa authorization network default group tacacs+

aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group TACACS-SERVERS
aaa accounting commands 0 default start-stop group TACACS-SERVERS
aaa accounting commands 1 default start-stop group TACACS-SERVERS
aaa accounting commands 15 default start-stop group TACACS-SERVERS
aaa accounting system default start-stop group TACACS-SERVERS

line con 0
logging synchronous
login authentication CONSOLE
stopbits 1

line vty 0 4
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
transport preferred none
transport input ssh

line vty 5 15
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
transport preferred none
transport input ssh

No success yet...

Re: CiscoISE policy applying on switch problem

mitros — Mon, 22 Apr 2024 10:55:21 GMT

Re: CiscoISE policy applying on switch problem

Aref Alsouqi — Mon, 22 Apr 2024 11:31:24 GMT

I can't see anything wrong with your configs so far. Could you please click on both TACACS logs in ISE, the one with the green icon and the one with the red icon and share those pages for review?

Also, the "Default" authorization rule should be configured with the deny "DenyAllCommands" command set, but this should be irrelevant to your issue.

Another thing I would recommend would be to configure a new authentication method list for console accesses and apply it to the console line, but again this shouldn't be relevant to your issue.

Re: CiscoISE policy applying on switch problem

mitros — Mon, 22 Apr 2024 11:50:25 GMT

Re: CiscoISE policy applying on switch problem

Aref Alsouqi — Mon, 22 Apr 2024 12:23:49 GMT

The successful log shows that the session of the user "admin2" did not match any command set, you can see that in the overview section on that page.

Could you please also share the "admin2" failed log, the one right below the one with the green icon?

Re: CiscoISE policy applying on switch problem

mitros — Mon, 22 Apr 2024 13:18:59 GMT

Re: CiscoISE policy applying on switch problem

Aref Alsouqi — Mon, 22 Apr 2024 14:11:44 GMT

Thanks for that. Based on the provided logs it seems that the command authorization should work as expected, ISE is clearly showing that there was a command authorization failure, so the switch should fail the authorization of that command as well. This leads me to think that maybe the switch is hitting a software bug that is causing this anomaly, or maybe the switch is continuously losing connection to ISE and it falls back to the local authorization?

You can look at the exact commands that were associated to the sessions by looking at TACACS report logs in "Operations > Reports > Reports > Device Administration > TACACS Authorization".

I would try to enable TACACS debugs and look at the output while trying to issue a command that shouldn't be allowed and see what the switch returns. To enable TACACS debugs you would need these commands:

debug aaa authorization
debug tacacs

Also, you mentioned in your original post that the unauthenticated users are able to log into the switch? could you elaborate more on this please?

Re: CiscoISE policy applying on switch problem

MHM Cisco World — Mon, 22 Apr 2024 14:47:51 GMT

Access to device and then show privilege' check in which privilege thenuser is

Also' in auth under thr policy set' there is option can you mention which selection you use for unknown user? The ISE live logs show that user is not found in internal identity db' can you you the selection and action of defualt authorization in ISE

MHM

Re: CiscoISE policy applying on switch problem

mitros — Tue, 23 Apr 2024 06:57:01 GMT

TACACS report logs in "Operations > Reports > Reports > Device Administration > TACACS Authorization" shows empty past 7 days??

Q: Also, you mentioned in your original post that the unauthenticated users are able to log into the switch? could you elaborate more on this please?

A: That is user which I created on switch, but didn't add it to CiscoISE identities. ISE doesn't know for it, so can't find it in Users Identity Groups. Therefore it call that user INVALID - cant pass authentication ( at least for ISE, in reality it can log in to switch no problem)

LAB_SW_2.20#debug aaa authorization
AAA Authorization debugging is on
LAB_SW_2.20#debug tacacs
TACACS access control debugging is on
LAB_SW_2.20#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LAB_SW_2.20(config)#
LAB_SW_2.20(config)#
LAB_SW_2.20(config)#

"configuration terminal" should be forbidden, but switch executes it. Logs in CiscoISE however reports fail authorization on that command, picture attached below:

Re: CiscoISE policy applying on switch problem

mitros — Tue, 23 Apr 2024 07:01:09 GMT

LAB_SW_2.20#sh privilege
Current privilege level is 15

Q:The ISE live logs show that user is not found in internal identity db' can you you the selection and action of defualt authorization in ISE

A: I've answered in previous post just above, there is one user created on switch that is not added to ISE, so it throws user is not found in internal identity db

Re: CiscoISE policy applying on switch problem

Aref Alsouqi — Tue, 23 Apr 2024 08:45:14 GMT

Thanks for that. The "INVALID" users in the logs can be disclosed by changing the "Disclose invalid usernames" under Administration > System > Settings > Security Settings > Disclose invalid usernames" to always or for a limited amount of time.

No debugs returned at all? if you are connected to the switch via SSH then please issue the command "terminal monitor" to replicate the output to the screen and share any debug output.

I am kinda running out of ideas here, my gut feeling is that this switch is not performing TACACS operations correctly. Or, as mentioned previously, it could be that the switch for some reason keeps losing the connection with ISE and accordingly falls back to the local database for both authentication and authorization.

One thing you can do to test this would be to remove the "local" keyword for TACACS and see if the behaviour would still be the same, if so, I would say the switch is hitting a software bug, if not, then it would related to some communication issues with ISE. However, please make sure that you have at least console access and that is configured with local database, otherwise you might look yourself out and had to reload the switch before you get access to it. Alternatively you can schedule a reload before you apply any changes. But let's first try to get to the bottom of this by relying on TACACS debugs and see if we get anything.

Re: CiscoISE policy applying on switch problem

mitros — Tue, 23 Apr 2024 10:15:42 GMT

It seems that I've found a problem.

In CiscoISE Administration>Network Devices>selected device> Edit > TACACS Authentication Settings

It should be checked Legacy Cisco Device. I had other configured and it didn't work.

Pictures below :

Now, unregistered user gets message:

login as: admin
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied

And unauthorized commands get note:

LAB_SW_2.20#conf t
Command authorization failed.

All that followed by adequate status in CiscoISE Live Logs. 🙂

Thank You all for participating in troubleshooting!

Re: CiscoISE policy applying on switch problem

MHM Cisco World — Tue, 23 Apr 2024 10:43:39 GMT

Thanks a lot for update us

Have a nice day

MHM