topic Attached is a successful user in Network Security

ISE Device Administration (ACS) enable passwords integrated with Active Directory

Christopher Horton — Fri, 21 Feb 2020 13:50:06 GMT

I'm working on an ISE standalone implementation and running into an issue where the enable password for a device isn't pulling properly. I have initial login tied back to AD and I have policy conditions/results/sets all working as they need to be. My test switch is a 2960S. I tried configuring "aaa authentication enable default group <ISE group> enable", but the only way I could do an enabled login with that was if the user was locally configured in ISE Identity Management > Identities > Users. Is there something I have missed that will tie enable passwords to an active directory group like I have working for initial login?

Hi

Francesco Molino — Mon, 06 Jun 2016 22:55:41 GMT

are you provisionning privilege level on your authorization policy? Could you give an output please?

Yes. I was following one of

Christopher Horton — Tue, 07 Jun 2016 00:22:30 GMT

Yes. I was following one of the example documents and giving default and max privilege levels. Let me know exactly what output you would like and I'll grab it for you.

The rules for devices

Francesco Molino — Tue, 07 Jun 2016 00:31:41 GMT

The rules for devices authentication, the authorization policy and logs from ise.

eventually, ios config for aaa

authentication policy

Christopher Horton — Tue, 07 Jun 2016 17:19:17 GMT

authentication policy

Default Rule only

authorization policy

Full Network Access

If AD group = Super Admin Group

then permit all commands and shell profile

Read-Only Access

If AD group = Read Only Group

then permit show commands and shell profile

Default

Deny all

For the commands and profile:

permit all commands

allows all CLI commands

permit show commands

allows only "show" CLI commands

shell profile

default priv = 15
max priv = 15

Current working aaa configs:

aaa new-model
aaa group server tacacs+ ISE_ACS
aaa authentication login default local
aaa authentication login ACS_Secure group ISE_ACS local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec ACS_Secure group ISE_ACS local if-authenticated
aaa authorization commands 15 ACS_Secure group ISE_ACS local if-authenticated
aaa accounting exec default start-stop group ISE_ACS
aaa accounting network default start-stop group ISE_ACS
aaa session-id common

The aaa authentication enable configuration is what I have been playing around with. When I set that to get the enable login from ISE, that is when it looks for a local user account within the ISE system.

Could you add logs from

Francesco Molino — Tue, 07 Jun 2016 19:13:16 GMT

Could you add logs from authenticated users?

Attached is a successful user

Christopher Horton — Tue, 07 Jun 2016 19:25:42 GMT

Attached is a successful user authentication log. Please let me know if this is not what you were looking for.

I don't see the authorization

Francesco Molino — Tue, 07 Jun 2016 20:28:30 GMT

I don't see the authorization profile that ISE is pushing on your word document.

Could you make another screenshot of logging please?

I'm not able to access my lab. As soon as I'm getting access, I will try to send out some screenshots of configuration.

I see just an error with your

Francesco Molino — Tue, 07 Jun 2016 22:10:18 GMT

I see just an error with your aaa authentication enable default enable. You should specify the Tacacs group.

I don't have access right now to my lab with ISE.

Here is my config for switches used with ACS.

aaa authentication login TACACS-SRV group tacacs+ local
aaa authentication login Console local
aaa authentication dot1x default group radius
aaa authorization exec TACACS-SRV group tacacs+ local
aaa authorization commands 15 TACACS-SRV group tacacs+ local
aaa authorization network default group radius
aaa accounting exec TACACS-SRV start-stop group tacacs+
aaa accounting commands 15 TACACS-SRV start-stop group tacacs+

If you give me all outputs maybe we can figure out why your ISE TACACS not working with AD. I don't see any reason except a misconfiguration or another issue.

Just to go on enable mode, you don't need anymore the command aaa authentication enable default enable. This enable mode is pushed to the user if he gets privilege 15. Your issue should be on profile or policy. With authorization log, we can see if ISE is pushing the policy or not and why?

So I've been trying to

Christopher Horton — Thu, 09 Jun 2016 14:02:46 GMT

So I've been trying to recreate the issue I had initially, but when I went back and added in "aaa authentication enable default group <ACS_Group> enable" it is working now. I haven't been able to determine what was done differently between this attempt and my previous that was unsuccessful, but I do appreciate all the help!

Cool. I'm happy that we

Francesco Molino — Thu, 09 Jun 2016 14:06:43 GMT

Cool. I'm happy that we solved your issue.

Have a good day