Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
0
Helpful
5
Replies

ISE Device Administration (TACACS+)

Go to solution
h.infotronique1
Level 1
Level 1

‎07-17-2019 02:12 AM

Hello,

i have create some commands profile to limits my helpdesk users but it didn't work :

i want to give him access and manipulate all interfaces of my cisco switch and deny him access to the interface  g1/2.

here is the command i do on ise TACACS Command Sets :

DENY_ALWAYS    interface        Gi1/2

is that possible 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to h.infotronique1

‎07-18-2019 05:49 AM

I saw similar results but I don't fully understand why.

 

Then I found a tip in a very old thread. https://ieoc.com/discussion/4666/aaa-authorization-commands

 

It tells us we need to add the line "aaa authorization config-commands". I did that and voila!

 

ccielab-3560cx(config)#aaa authorization config-commands 
ccielab-3560cx(config)#end
ccielab-3560cx#wr mem
Building configuration...
[OK]
ccielab-3560cx#exit
Connection closing...Socket close.

Connection closed by foreign host.

Disconnected from remote host(172.31.1.4:22) at 20:42:57.

Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh marvin-ltd@172.31.1.4


Connecting to 172.31.1.4:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

ccielab-3560cx#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ccielab-3560cx(config)#int gi0/2
Command authorization failed.

ccielab-3560cx(config)#int gi0/3
ccielab-3560cx(config-if)#

My command set that is allowed in the Authorization rule looks like this:

TACACS command set.PNG

Here is my Authorization policy:

TACACS Authorization Policy.PNG

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-17-2019 08:46 AM

I tried recreating your problem and encounter the same error.

I created a limited access user and confirmed they get assigned that authorization result. My command set says to deny all where command is interface and parameter is GigabitEthernet 0/2. I tried several variations of the parameter but they all continue to mistakenly allow the command.

I looked at this example for reference:

https://community.cisco.com/t5/security-documents/ise-2-3-tacacs-command-sets-import-and-export/ta-p/3635973

..using the bits in table under "iosSecCmds Command set".

0 Helpful

Go to solution
h.infotronique1
Level 1
Level 1
In response to Marvin Rhoads

‎07-18-2019 01:57 AM

Hi Marvin,

thak you for your reply,

on the switch i activate the debug of aaa authentication and authorisation to see what happen and i have this when i type for exemple shutdown and no shutdown :

6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV service=shell
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd=no
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd-arg=shutdown
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd-arg=<cr>
6d23h: TAC+: (1016080000): received author response status = PASS_ADD

 

But when i i tape the command interface Gigaethernet 1/2 , there is no line of debug authentication or authorisation;

is that ordinaire behavior or not ?

thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to h.infotronique1

‎07-18-2019 05:49 AM

I saw similar results but I don't fully understand why.

 

Then I found a tip in a very old thread. https://ieoc.com/discussion/4666/aaa-authorization-commands

 

It tells us we need to add the line "aaa authorization config-commands". I did that and voila!

 

ccielab-3560cx(config)#aaa authorization config-commands 
ccielab-3560cx(config)#end
ccielab-3560cx#wr mem
Building configuration...
[OK]
ccielab-3560cx#exit
Connection closing...Socket close.

Connection closed by foreign host.

Disconnected from remote host(172.31.1.4:22) at 20:42:57.

Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh marvin-ltd@172.31.1.4


Connecting to 172.31.1.4:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

ccielab-3560cx#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ccielab-3560cx(config)#int gi0/2
Command authorization failed.

ccielab-3560cx(config)#int gi0/3
ccielab-3560cx(config-if)#

My command set that is allowed in the Authorization rule looks like this:

TACACS command set.PNG

Here is my Authorization policy:

TACACS Authorization Policy.PNG

0 Helpful

Go to solution
h.infotronique1
Level 1
Level 1
In response to Marvin Rhoads

‎07-21-2019 06:58 AM

Hi Marvin,

I thank you very match that was very helpfull, it was that command missed on my configuration and now it work fine.

just for the rule on ISE, for me i did Deny alwys interface Gigabitethernet 1/2 not Gigabitethernet 1 2 like you did!!?

 

thank you again.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to h.infotronique1

‎07-21-2019 07:14 AM

OK - you're welcome. It was a fun one to troubleshoot.

I used the "0 2" syntax in my case since when I was troubleshooting using packet capture I saw the authorization request come through following that convention. I think perhaps the system parses out the "/" character so you can enter it with or without that and get the same result.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card