el 08-20-2024 05:52 AM
Hallo Community
I have a small setup where I have a client, 9300 Switch and Cisco ISE. I have configured HTTPS Server on Switch.
I have also setup ISE, created a user (httpsuser) and a User Identity Group (httpsgroup). I created Device Admin Policy Set where in Authentication I used default (all_user_ID_Stores) and in Authorization Policy I have created a Rule which compares User Identity and if it matches, then in command sets All Commands and in Shell Profile I have set Privilege Level 15.
Now the Client is not able to do HTTPS://192.168.1.2 with the given username and password. Also Switch shell is not accessible with the same username and password.
Thank you for a suggestion.
A.
el 08-20-2024 01:59 PM
This can be a switch configuration problem. I believe the following doc comtemplates both ISE and switch
https://www.wiresandwi.fi/blog/cisco-ise-configuring-radius-authentication-for-device-administration
el 08-20-2024 02:01 PM
@Flavio Miranda Dear Flavio, I have configured TACACS because it is used for Management Plane purposes.
el 08-20-2024 02:37 PM
Here one example for TACACS and admin web interface
aaa new-model ! ! aaa group server tacacs+ pom-ise server name pom-ise01 server name pom-ise02 ! aaa authentication login default group pom-ise local aaa authentication login console local aaa authentication webauth default group pom-ise local aaa authorization config-commands aaa authorization exec default group pom-ise if-authenticated aaa authorization commands 15 default group pom-ise if-authenticated ! no ip http server ip http authentication aaa login-authentication default ip http authentication aaa exec-authorization default ip http secure-server !
el 08-21-2024 12:22 AM
@Flavio Miranda this config makes sense, do we need exec-authorization command also? because i have already configured All Commands with Priv Lev 15 in ISE. Thank you.
el 08-20-2024 02:06 PM
Hello @ahmedaburaihan
Do you check that that HTTPS is properly configured on the switch ?Verify that the switch is configured to use HTTPS and that you have generated the necessary certificates.
el 08-21-2024 12:23 AM
M02@rt37 Yes, there is no problem with configs. The Switch does not have any TrustPoints, it creates Self-Signed Cert.
Descubra y salve sus notas favoritas. Vuelva a encontrar las respuestas de los expertos, guías paso a paso, temas recientes y mucho más.
¿Es nuevo por aquí? Empiece con estos tips. Cómo usar la comunidad Guía para nuevos miembros
Navegue y encuentre contenido personalizado de la comunidad