Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4219
Views
0
Helpful
4
Replies

ASDM TACACS Administration using ISE

Srinivasan Nagarajan
Level 1
Level 1

‎11-30-2019 12:06 AM - edited ‎02-21-2020 09:44 AM

Hi Experts,

 

We've Device Admin License in ISE and policies are configured based on the AD groups to grant Read Only Access to network and security devices for the SOC team.

 

The problem is, when user is trying to access ASA via CLI, he's authenticated and authorized via RO privileges. But when he's trying to access the same device via ASDM ,he's able to authenticate but when navigating to other sections of ASDM noticed "command failed" error messages.

 

Is this how ISE treats ASDM access when compared to CLI which has more granular control commands over webgui. Please assist

 

Failure Reason  13025 Command failed to match a Permit rule

Resolution         Check the Selected CommandSet attributes to verify that the expected Command Sets were selected by the Authorization policy

Root Cause        The requested command failed to match a Permit rule in any of the Command Sets

 

Response           {AuthenticationResult=Passed; AuthorizationFailureReason=CmdDidNotMatchPermitRule; Author-Reply-Status=Fail; }

 

STEPS:


13005 Received TACACS+ Authorization Request - mydomain name
15049 Evaluating Policy Group - user-admin
15008 Evaluating Service Selection Policy - mydomain
15041 Evaluating Identity Policy - mydomain
22072 Selected identity source sequence - srwprod.com,Domain trust is one-way
15013 Selected Identity Source - srwcert.com,Domain trust is one-way
24210 Looking up User in Internal Users IDStore
24216 The user is not found in the internal users identity store - mydomain
15013 Selected Identity Source - myidentitysourcename
24432 Looking up user in Active Directory - myidentitysourcename
24325 Resolving identity - user-admin
24313 Search for matching accounts at join point - mydomain
24320 Multiple matching accounts in forest - mydomain
24367 Skipping unusable domain - srwprod.com,Domain trust is one-way
24367 Skipping unusable domain - srwcert.com,Domain trust is one-way
24323 Identity resolution detected single matching account
22037 Authentication Passed
15036 Evaluating Authorization Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - IdentityGroup.Name
24432 Looking up user in Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24320 Multiple matching accounts in forest
24367 Skipping unusable domain
24367 Skipping unusable domain
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP - myidentitysourcegroups
15048 Queried PIP - IdentityGroup.Name
15048 Queried PIP - DEVICE.Location
15018 Selected Command Set
13025 Command failed to match a Permit rule
13034 Returned TACACS+ Authorization Reply

0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎11-30-2019 06:54 PM

ASDM recognizes three types of user privileges:

  • Privilege level 2 - monitor
  • Privilege 5 - read-only
  • Privilege15 - admin

With that said:

  1. What attributes are you returning back with the Authorization profile in ISE?
  2. Are you utilizing any other privilege levels than the ones listed above?
  3. Lastly, have you moved any commands to a different privilege level than their default ones?

Thank you for rating helpful posts!

0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to nspasov

‎11-30-2019 07:23 PM - edited ‎11-30-2019 07:26 PM

Hi nspaov,

 

Thanks for the reply. If the user is part of specific AD group and if he's accessing ASA firewalls, he'll be granted with "Network L1 commands"  with Privilege 15.

 

when he's trying to navigate to other sections (like SFR), noticed "session sfr do get euta-status" command is generated and authorization failed in ISE logs. If I'm not wrong, he should be able to navigate to other page and the config commands should be grayed out.

 

1. What attributes are you returning back with the Authorization profile in ISE

priv-lvl=15
max_priv_lvl=15

 

2. Are you utilizing any other privilege levels than the ones listed above?

As specified .

 

3. Lastly, have you moved any commands to a different privilege level than their default ones?

 

These are the allowed RO commands with the privilege 15.

===

PERMIT menu
PERMIT terminal width
PERMIT more
PERMIT show
PERMIT ping
PERMIT traceroute
PERMIT ssh
PERMIT telnet
PERMIT enable
PERMIT exit
PERMIT clear line
PERMIT terminal length
PERMIT terminal pager

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Srinivasan Nagarajan

‎11-30-2019 09:15 PM

If you are returning Privilege-Level 15 then that user should have access to all commands and nothing should be grayed out. I have not seen message "session sfr do get euta-status" before so it might require assistance from TAC. Is the Firepower module managed via ASDM as well or do you have FMC (Firepower Management Center) deployed?

Thank you for rating helpful posts!

0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to nspasov

‎11-30-2019 11:51 PM

Hi nsapov,

Rules are allowed with Shell profile called "L1 commands" and the AuthZ policies are set to "privilege 15". So in this case, they'll have complete access (with Priv 15) or only the commands which are shared earlier...?

Source fire is managed by FMC and we've separate rules for IPS devices.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card