Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
1
Helpful
2
Replies

ISE 2.2 cannot apply TACACS Authorization Policy to a prent group

Go to solution
B. BELHADJ
Level 4
Level 4

‎07-26-2017 08:21 AM

Hi guys

Could you please let me know why ISE 2.2 (at least for me) cannot apply the Authorization policy for a parent group?

For example when I create a Groups like:

ALL_Perimeters/SEC

ALL_Perimeters/LAN

ALL_Perimeters/WAN

SECGroup ==> RW ==>  ALL_Perimeters/SEC

LANGroup ==> RW ==>  ALL_Perimeters/LAN

WANGroup ==> RW ==> ALL_Perimeters/WAN

ALL ==> RO ==> ALL_Perimeters

The Authorization Policies have been configured like that:

"Rule name: SecTeam" ==> If "SECGroup" and "DEVICE:Perimeters EQUALS All_Perimeters#SEC" then "Command Sets: RWCommands" AND "Shell Profiles: Privilege15"

"Rule name: LANTeam" ==> If "LANGroup" and "DEVICE:Perimeters EQUALS All_Perimeters#LAN" then "Command Sets: RWCommands" AND "Shell Profiles: Privilege15"

"Rule name: ALLTeams" ==> If "All Groups" and "DEVICE:Perimeters EQUALS All_Perimeters" then "Command Sets: ROCommands" AND "Shell Profiles: Privilege15"

Tacacs_Default If no matches then Deny All Shell Profile

When a user in the group SECGroup tries to access to a device in the perimeter LAN, it cannot access. In the logs the default Authorization Policy with Deny is matched.

But when I configure an Authorization Policy with RO for SECGroup on the All_Perimeters#LAN for example, the user is able to connect!

The Authorization Policies are very well configured. I don't have this issue with ACS 5.8 in my production environment.

Any reply will be appreciated.

Best regards.

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎07-26-2017 05:25 PM

Not sure whether I fully grasp the issue at hand, but have you tried using STARTSWITH instead of EQUALS?  I have run into this before when I want to match a prefix and I use EQUALS, when instead, ISE requires the operator STARTSWITH to match a prefix.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎07-26-2017 05:25 PM

Not sure whether I fully grasp the issue at hand, but have you tried using STARTSWITH instead of EQUALS?  I have run into this before when I want to match a prefix and I use EQUALS, when instead, ISE requires the operator STARTSWITH to match a prefix.

0 Helpful

Go to solution
B. BELHADJ
Level 4
Level 4
In response to Arne Bier

‎07-27-2017 10:16 AM

Hi Arne

Thank you for your help!

This was the issue. I have just used STARTS WITH instead of EQUALS and the user was able to connect.

Best regards

0 Helpful
Customers Also Viewed These Support Documents