cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


715
Views
0
Helpful
4
Replies
Highlighted

ASDM TACACS Administration using ISE

Hi Experts,

 

We've Device Admin License in ISE and policies are configured based on the AD groups to grant Read Only Access to network and security devices for the SOC team.

 

The problem is, when user is trying to access ASA via CLI, he's authenticated and authorized via RO privileges. But when he's trying to access the same device via ASDM ,he's able to authenticate but when navigating to other sections of ASDM noticed "command failed" error messages.

 

Is this how ISE treats ASDM access when compared to CLI which has more granular control commands over webgui. Please assist

 

Failure Reason  13025 Command failed to match a Permit rule

Resolution         Check the Selected CommandSet attributes to verify that the expected Command Sets were selected by the Authorization policy

Root Cause        The requested command failed to match a Permit rule in any of the Command Sets

 

Response           {AuthenticationResult=Passed; AuthorizationFailureReason=CmdDidNotMatchPermitRule; Author-Reply-Status=Fail; }

 

STEPS:


13005 Received TACACS+ Authorization Request - mydomain name
15049 Evaluating Policy Group - user-admin
15008 Evaluating Service Selection Policy - mydomain
15041 Evaluating Identity Policy - mydomain
22072 Selected identity source sequence - srwprod.com,Domain trust is one-way
15013 Selected Identity Source - srwcert.com,Domain trust is one-way
24210 Looking up User in Internal Users IDStore
24216 The user is not found in the internal users identity store - mydomain
15013 Selected Identity Source - myidentitysourcename
24432 Looking up user in Active Directory - myidentitysourcename
24325 Resolving identity - user-admin
24313 Search for matching accounts at join point - mydomain
24320 Multiple matching accounts in forest - mydomain
24367 Skipping unusable domain - srwprod.com,Domain trust is one-way
24367 Skipping unusable domain - srwcert.com,Domain trust is one-way
24323 Identity resolution detected single matching account
22037 Authentication Passed
15036 Evaluating Authorization Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - IdentityGroup.Name
24432 Looking up user in Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24320 Multiple matching accounts in forest
24367 Skipping unusable domain
24367 Skipping unusable domain
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP - myidentitysourcegroups
15048 Queried PIP - IdentityGroup.Name
15048 Queried PIP - DEVICE.Location
15018 Selected Command Set
13025 Command failed to match a Permit rule
13034 Returned TACACS+ Authorization Reply

Everyone's tags (2)
4 REPLIES 4
Cisco Employee

Re: ASDM TACACS Administration using ISE

ASDM recognizes three types of user privileges:

  • Privilege level 2 - monitor
  • Privilege 5 - read-only
  • Privilege15 - admin

With that said:

  1. What attributes are you returning back with the Authorization profile in ISE?
  2. Are you utilizing any other privilege levels than the ones listed above?
  3. Lastly, have you moved any commands to a different privilege level than their default ones?

Thank you for rating helpful posts!

Re: ASDM TACACS Administration using ISE

Hi nspaov,

 

Thanks for the reply. If the user is part of specific AD group and if he's accessing ASA firewalls, he'll be granted with "Network L1 commands"  with Privilege 15.

 

when he's trying to navigate to other sections (like SFR), noticed "session sfr do get euta-status" command is generated and authorization failed in ISE logs. If I'm not wrong, he should be able to navigate to other page and the config commands should be grayed out.

 

1. What attributes are you returning back with the Authorization profile in ISE

priv-lvl=15
max_priv_lvl=15

 

2. Are you utilizing any other privilege levels than the ones listed above?

As specified .

 

3. Lastly, have you moved any commands to a different privilege level than their default ones?

 

These are the allowed RO commands with the privilege 15.

===

PERMIT menu
PERMIT terminal width
PERMIT more
PERMIT show
PERMIT ping
PERMIT traceroute
PERMIT ssh
PERMIT telnet
PERMIT enable
PERMIT exit
PERMIT clear line
PERMIT terminal length
PERMIT terminal pager

Cisco Employee

Re: ASDM TACACS Administration using ISE

If you are returning Privilege-Level 15 then that user should have access to all commands and nothing should be grayed out. I have not seen message "session sfr do get euta-status" before so it might require assistance from TAC. Is the Firepower module managed via ASDM as well or do you have FMC (Firepower Management Center) deployed?

Thank you for rating helpful posts!

Re: ASDM TACACS Administration using ISE

Hi nsapov,

Rules are allowed with Shell profile called "L1 commands" and the AuthZ policies are set to "privilege 15". So in this case, they'll have complete access (with Priv 15) or only the commands which are shared earlier...?

Source fire is managed by FMC and we've separate rules for IPS devices.

 

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here