topic Re: Use ISE to limit access to specific VRFs in Network Access Control

Use ISE to limit access to specific VRFs

Nerd_Herd — Mon, 09 Sep 2024 15:32:47 GMT

One of my clients would like to limit access of user to their specific VRFs. Since the VRFs span multiple devices its not possible to restrict by network access device, We're using TACACS so I tried to limit commands pertaining to other VRFs but all commands were blocked regardless of the argument given. Ex command = sh argument= ^vrf vrfname$ I used the ^$ symbols to get the start and stop of the string but it hit on every vrf. Any examples doing something would be appreciated.

Re: Use ISE to limit access to specific VRFs

Arne Bier — Mon, 09 Sep 2024 21:05:30 GMT

I don't understand what you mean by "users limited to their VRFs" - unless you're doing SDA where users end up in a specific VN (VRF), access-sessions are authorized on a VLAN level, not VRF. If you're talking about AAA command authorization (TACACS+) then I also don't quite understand the reasoning for this. The "vrf" keyword is interspersed in arcane little places all over various parts of the command syntax. There is no single "vrf mode" for a user. Restricting the command syntax to only issue (for example) one specific VRF for a particular user (group) would be quite messy.

Just some examples of the 'vrf' keyword used with aaa:

aaa group server radius dnac-client-radius-group ip vrf forwarding MANAGEMENT

aaa group server tacacs+ dnac-client-tacacs-group ip vrf forwarding MANAGEMENT

aaa server radius dynamic-author client 1.2.3.4 vrf MANAGEMENT server-key 7 *******

It's never in one consistent place. Perhaps I didn't understand your use case. Can you give some examples of what you're trying to allow, versus what you're trying to disallow?

Re: Use ISE to limit access to specific VRFs

ccieexpert — Tue, 10 Sep 2024 19:31:49 GMT

what vrf do you want to allow .. i think it should be something like this . Please show your command set..

it shoud allow all other commands..

Re: Use ISE to limit access to specific VRFs

ccieexpert — Tue, 10 Sep 2024 19:52:52 GMT

also you can use specific command like "show" if you want..

Re: Use ISE to limit access to specific VRFs

Arne Bier — Tue, 10 Sep 2024 23:10:29 GMT

Valid point @ccieexpert

I had to modify the command and arguments a bit, because the ISE Commands processing supports wildcards (not regex) and the Arguments support regex. Also, your regex contained white spaces that caused this not to work. I tested on www.regex101.com until I got it right.

So, my example is a user (or member of a group) who can only work with the vrf ACME, and no other vrf.

In the Arguments, there are no white spaces.

The priv level 1 commands are important, because that is where a lot of show commands are authorized from - even if your user is authorized to priv 15, when they issue certain show commands, the IOS classifies them as priv 1

aaa group server tacacs+ dnac-network-tacacs-group aaa authentication login VTY_authen group dnac-network-tacacs-group local aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated aaa authorization config-commands ! line vty 0 4 authorization commands 1 VTY_author authorization commands 15 VTY_author authorization exec VTY_author login authentication VTY_authen transport input ssh

The only problem with the ISE Arguments, is that they don't seem to understand standard regex. For example, my example will not allow the command "show vrf" (assuming you wanted to allow that for this user). I was unable to get ISE to process the regex pattern ^vrf$ which should have allowed this. If you know how to do this, please let me know.

In other words

allow "show vrf"

allow vrf commands containing "ACME"

deny all other commands containing "vrf"

permit all remaining commands

Re: Use ISE to limit access to specific VRFs

Nerd_Herd — Wed, 11 Sep 2024 14:07:52 GMT

That is what the user was asking for. Basically limiting user to only running commands related to their specific vrf. Example groups A,B,C belong to VRFs A,B,C. The client wants the users to only be able to run commands related to their specific VRF.

Re: Use ISE to limit access to specific VRFs

Nerd_Herd — Wed, 11 Sep 2024 14:10:06 GMT

I'll try this.

Re: Use ISE to limit access to specific VRFs

Nerd_Herd — Wed, 11 Sep 2024 14:11:00 GMT

Thanks I'll try this. Documentation suggested using REGEX when building command sets.

Re: Use ISE to limit access to specific VRFs

Nerd_Herd — Wed, 11 Sep 2024 14:32:01 GMT

Do you have a period at the end of the VRF name before the *?

Re: Use ISE to limit access to specific VRFs

MHM Cisco World — Wed, 11 Sep 2024 14:35:58 GMT

How ISE know this user from this VRF abd this user from other VRF' from there you need to start.

After that add command with vrf-aware.

MHM

Re: Use ISE to limit access to specific VRFs

Arne Bier — Wed, 11 Sep 2024 20:53:08 GMT

You would return the appropriate command restrictions to the user during TACACS+ authorization. Depending on how many tenants they need, you'd create an ISE Identity Group (or use an AD Group) and then use that in the TACACS+ Authorization Policy Set.

Re: Use ISE to limit access to specific VRFs

Arne Bier — Wed, 11 Sep 2024 20:56:10 GMT

The "." (period) in regex means "match zero or more occurrences" - a common usage is dot-star, which matches anything before and up to that point. Have a play on regex101.com website - it's a great regular expression teacher

.*vrf ACME.* .*vrf.*

Re: Use ISE to limit access to specific VRFs

MHM Cisco World — Thu, 12 Sep 2024 04:47:42 GMT

How Tacacs (ISE) know this user from this vrf-a or vrf-b

As I know there is no vrf attribute send between SW/R and AAA server.

That my concern here.

Thanks

MHM

Re: Use ISE to limit access to specific VRFs

Arne Bier — Thu, 12 Sep 2024 05:23:32 GMT

I don't know exactly how @Nerd_Herd plans to do this, but I assume that he has users/tenants in different AD groups, and then when those users authenticate via TACACS, ISE can return the appropriate command set. The assumption is that whatever command set is returned for those "groups" of users, is correct. Basically, if bob from GroupA logs into a switch, then he gets profile for GroupA - all users in that group are restricted to only accessing their appropriate Vrf.

Re: Use ISE to limit access to specific VRFs

Nerd_Herd — Mon, 23 Sep 2024 00:48:19 GMT

Correct. I plan on having various security groups tied to specific VRFs. They will have command sets that limit them to vrf commands that only apply to their specific vrf. They can still do standard commands but not interact with another vrf.

Re: Use ISE to limit access to specific VRFs

MHM Cisco World — Mon, 23 Sep 2024 04:59:38 GMT

If that So it will work' keep in mind dont select permit any command not list option.

Goodluck

MHM

Re: Use ISE to limit access to specific VRFs

MHM Cisco World — Mon, 23 Sep 2024 10:04:37 GMT

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html

By the way did you check this guide

It have nice table for command regex

MHM

Re: Use ISE to limit access to specific VRFs

Nerd_Herd — Mon, 23 Sep 2024 13:16:41 GMT

That's one of the things we discovered is that regex does not seem to work.