topic Re: ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set in Network Access Control

ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set appears to accept one or the other

RAMAN AZIZIAN — Wed, 06 May 2020 22:50:17 GMT

Hello everyone,

I can't seem to figure out the logic behind the policy set to authenticate and authorize my users based on the privilege and device type. Sorry for the lengthy description.

I have a couple of ISE 3615 appliances, running version 2.6. Only one of the appliances is configured. Planning on configuring the second one later.

In my network I have multiple Catalyst 9300/9500 and Nexus 9300 switches. They are all happy and have L3 reach ability and I am currently using local account on each one of them.

My ISE-T1 is configured and joined to my domain successfully. It is running all the personas.

I have two users groups OU that I have pulled down.

Domain User - (The users in this OU will have limited read only access)

Domain Admin - (The user in the OU will have full R/W access)

I have created the following TACACS command sets profiles:

AD-NXOS-Admin

AD-NXOS-Op ((Can issue the following commands: show int status, show vpc brief, sho run, etc)

AD-IOS-Admin

AD-IOS-Op (Can issue the following commands: show int status, sho ip int b, sho run, etc)

I have also created the following TACACS Profiles

AD-NXOS-Admin-shell

AD-NXOS-Op-shell

AD-IOS-Admin-shell

AD-IOS-Op-shell

The problem I am running into, and I hope I can explain it clearly is, the device Admin policy Sets that I create appears to only accept the first two rules, and it doesn't matter if I have specific for each type of user (NXOS or IOS)

Here's the Policy set: There are two of them:

AD-NXOS-ACCESS : DEVICE:DevicetypeEQUALS all device types#Cisco NX-OS default Device Admin >

AD-IOS-ACCESS: DEVICE:DevicetypeEQUALSall device types : Default Device Admin >

Now the configs for the authentication and Authorization for each one

This if for the IOS devices

Authentication policy (1) - It points to my my.AD

Authorization policy (3)

AD-IOS-ADMIN - my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Admins - AD-IOS-Admin - AD-IOS-Admin-shell

AD-IOS-Operator my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Users - AD-IOS-Op - AD-IOS-Op-Shell

Default - DenyAllCommands

This is for NX-OS device

Authentication policy (1) - It points to my my.AD

Authorization policy (3)

AD-NXOS-ADMIN my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Admins -AD-NXOS-Admin - AD-NXOS-Admin-Shell

AD-NXOS-Operator my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Users -AD-NXOS-Op - AD-NXOS-Op-shell

Default - DenyAllCommands

Even though I have two separate policies in the Policy Sets, it seems that I only use the AD-IOS-Admin or AD-IOS-Op and not the Nexus specific.

I am able to successfully login as Operator User to IOS device and issue the limited commands.

I am able to successfully login as Admin to both NXOS and IOS switches and I have full access to everything.

I am able to successfully login as Operator user to NXOS, but I can't issue any show commands as I have listed.

When I looked at the Operations logs under TACACS+, I noticed only the IOS policies were being used even though I was logging into the NX-OS switches.

I guess I am trying to figure out what logic (AND / OR) i need to put in my policy to distinguish and forward to specific rules.

Be glad to provide any other info if needed.

Thank you kindly for reading and providing feedbacks.

Raman Azizian

Re: ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set appears to accept one or the other

Mike.Cifelli — Wed, 06 May 2020 23:28:18 GMT

IMO you have a couple of options to accomplish what you are trying to do. One of those options would be to group devices by device type (This can be found here: Administration->Network Resources->Network Device Groups). Then use DEVICE: Device Type as an additional authz condition. Essentially you would group your IOS NADs in one group and your NX-OS devices in another and rely on that group condition to steer policy that way. HTH!

Re: ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set appears to accept one or the other

poongarg — Thu, 07 May 2020 02:09:02 GMT

Adding to above, On Nexus we prefer to have role based access instead of command authorization.

Although command authorization via Tacacs is allowed on the Nexus but Command authorization disables user role based authorization control (RBAC), including the default role.

Do not use "Default Shell Profile" instead create a new shell profile to be used for Nexus device.

New shell profile > Task Attribute view>Go to "Common Task Type" > Nexus. Set attributes as "mandatory" Network Role "Administrator (Read Write)" and VDC Role "Administrator (Read Write)"

Once saved, you will see below profile attributes under raw view

shell:roles="network-admin vdc-admin"

shell:roles="network-operator vdc-operator" >>> This will appear if you will select operator read-only role.

Re: ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set appears to accept one or the other

RAMAN AZIZIAN — Thu, 07 May 2020 21:57:57 GMT

Hello Mike,

Thank you for your suggestion and I'm able to now allow specific access based on the RBAC and user access.

I created two groups

IOS-Devices

NXOS-Device

Re: ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set appears to accept one or the other

RAMAN AZIZIAN — Thu, 07 May 2020 22:01:32 GMT

Hello Poongarg,

I took your suggestion and I set Mandatory to both admin RBAC and Operator RBAC.

I also used Mike's suggestion for separation of the devices to further differentiate and steer the connection to the correct policy.

Now it's time to go figure out how HA works and what all I need to do to make that work.

Thank you again for both of you for helping me solve this problem.

Cheers,

Raman

Re: ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set

LearnerNewbee — Tue, 11 Mar 2025 04:36:47 GMT

Hi Poongarg, could you give me an idea here please? I'm configuring cisco ISE(Radius) for nexus 9300 switch but after I have done all policy and authorization it doesn't give me access, couldn't authenticate even when i check the log. I just chose Cisco device profile when creating a device, i couldn't found separate Cisco nexus profile in the list. Does this cause the problem? If so, how do I add new device profile for Nexus and what are the parameters? Or should i import dictionary like 3rd party devices?