topic Re: Cisco ISE - problem with TACACS command sets in Network Access Control

Cisco ISE - problem with TACACS command sets

lnw-team — Mon, 01 Jul 2024 12:12:33 GMT

Hello,

I've been given a task to provide administrative access for local IT guys so that they are able to execute limited set of commmands. The following TACACS command sets has been configured to achieve that objective:

Unfortunately, it does not work the way it's supposed to. After logging to the device and hitting appropriate authorizatation policy, I'm unable to execute the following commands (which is desired outcome):

- reload
- debug
- traceroute
- show running-config
- configure terminal

All allowed commands (ping, terminal monitor, terminal no monitor, show interface status, show logging) are working fine. However, I've noticed that other show commands such as "show spanning-tree", "show spanning-tree root", or "show ntp packets" can also be executed although they should be denied. Could anyone explain this? I'll add that I've tried several options with "Deny" and "Deny always".

Thank you in advance!

Re: Cisco ISE - problem with TACACS command sets

Arne Bier — Mon, 01 Jul 2024 20:46:25 GMT

I have a feeling that your IOS device is not performing command authorization, hence, ISE is not getting involved in the command authorization. Can you please share your

show run | in aaa

Command authorization can be enabled for any and every priv level you give your admins. I always give everyone priv15 because that is needed for a "show run". Therefore, the command authorization would look like this (my example uses the TACACS+ group "tacacs_group" and the "default" method list ... adjust as necessary to suit your scenario)

aaa authorization commands 15 default group tacacs_group if-authenticated

Re: Cisco ISE - problem with TACACS command sets

lnw-team — Tue, 02 Jul 2024 05:34:56 GMT

Hello,

in my case it's slightly different, It looks like this:

aaa authorization commands 15 default local group TACACS if-authenticated

Do you think it might be cause od the issue?

Re: Cisco ISE - problem with TACACS command sets

Arne Bier — Tue, 02 Jul 2024 05:57:26 GMT

Yes - if you use the built-in help (question mark) you can see that the "local" is not correct

switch(config)#aaa authorization commands 15 default ? cache Use Cached-group group Use server-group. if-authenticated Succeed if user has authenticated. local Use local database. none No authorization (always succeeds).

We don't want to perform command authorization using local accounts - therefore, assuming your TACACS+ aaa group is called "TACACS" (as your example shows), then change the command to look like this

aaa authorization commands 15 default group TACACS if-authenticated

Re: Cisco ISE - problem with TACACS command sets

lnw-team — Tue, 02 Jul 2024 06:55:03 GMT

But I'm also using local accounts as a backup authentication method. Furthermore, I'm wondering why it's working fine for most of the commands. As I mentioned before, I'm unable to execute "debug", "reload" or "conf t" command. Local authorization should also be enbled as a backup.

Re: Cisco ISE - problem with TACACS command sets

Larry Sullivan — Tue, 02 Jul 2024 17:58:21 GMT

Did you also configure "aaa authorization config-commands"

Been working on a similar implementation and the above command needs to be configured on my network devices (Cisco) for ISE to get granular with authorized commands.

Re: Cisco ISE - problem with TACACS command sets

Arne Bier — Tue, 02 Jul 2024 21:26:37 GMT

@lnw-team - do you see the ISE Command authorization attempts in the ISE TACACS Live Logs? If not, then check the vty line settings because you also need - e.g.

vty 0 15 authorization commands 15 VTY_Name

I also keep forgetting that the IOS exec shell doesn't pass ALL commands to the AAA for evaluation unless you specify the exact priv level used by that command

E.g. show running-config is sent to AAA for eval because it's a priv level 15 command.

But commands like "show version", "show users" etc. are priv 1 commands.

Therefore you must configure aaa authorization commands in global and line vty for all possible priv levels.

I tested it just now and forgot priv level 1, which is used for show users, etc.

I wish there was a list that showed us which priv level is used for which command.

Your DENY_ALWAYS rule is a dangerous one. It takes precedence over ALL the other commands, and just because you put it at the end of the rules, doesn't mean it gets executed last - it gets evaluated FIRST! Always ... dangerous command.