cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

230
Views
0
Helpful
5
Replies
Beginner

TACACS using Guest Identity store

Hi All,

 

Our customer requires tacacs users to have an expiry date & time and for different ISE admins to create different types of tacacs users.

For this I have created sponsored guests users using the guest type Contractor group.

Now, if I use the network access name as that of the sponsored guest created, the tacacs rule works as required.

However, If I use the Identity group name Contractor, authorisation fails and it hits the default deny access shell profile.

Any idea how to get it working using the Identity Group name

Attached authorisation SS of both conditions.

 

 

PASSED LOG

 

Overview

Request TypeAuthorization
StatusPass
Session KeyISE2673/356880508/180
Message TextDevice-Administration: Command Authorization succeeded
Usernamenetadmin@gmail.com
Authorization PolicyNew Policy Set 1 >> NetAdmin
Shell Profile 
Matched Command SetPermitAll
Command From Deviceenable

 

Authorization Details

Generated Time2019-09-03 16:16:38.118 +5:30
Logged Time2019-09-03 16:16:38.118
Epoch Time (sec)1567507598
ISE NodeISE2673
Message TextDevice-Administration: Command Authorization succeeded
Failure Reason 
Resolution 
Root Cause 
Usernamenetadmin@gmail.com
Network Device NameCOE_3850_2
Network Device IP192.168.40.8
Network Device GroupsIPSEC#Is IPSEC Device#No,Location#All Locations,Device Type#All Device Types
Device TypeDevice Type#All Device Types
LocationLocation#All Locations
Device Porttty2
Remote Address192.168.41.73

Authorization Attributes

All Request Attribues 
All Response Attribues 

 

TACACS Protocol

Authentication MethodNone
Authentication Privilege Level0
Authentication TypeASCII
Authentication ServiceNone

 

Other Attributes

ConfigVersionId74
DestinationIPAddress192.168.40.73
DestinationPort49
UserNamenetadmin@gmail.com
ProtocolTacacs
RequestLatency24
TypeAuthorization
Service-Argumentshell
NetworkDeviceProfileIdb0699505-3150-4215-a80e-6753d45bf56c
AuthenticationIdentityStoreGuest Users
AuthenticationMethodLookup
SelectedAccessServiceDefault Device Admin
SelectedCommandSetPermitAll
IdentityGroupUser Identity Groups:GuestType_Contractor (default)
SelectedAuthenticationIdentityStoresGuest Users
AuthenticationStatusAuthenticationPassed
UserTypeGuestUser
CPMSessionID2429714507192.168.40.83361Authorization2429714507
IdentitySelectionMatchedRuleAuthentication Rule 1
Network Device ProfileCisco
IPSECIPSEC#Is IPSEC Device#No
Response{Author-Reply-Status=PassAdd; }

 

 

 

 

FAILED LOG

 

Overview

Request TypeAuthentication
StatusFail
Session KeyISE2673/356880508/132
Message TextFailed-Attempt: Authentication failed
Usernamenetadmin@gmail.com
Authentication PolicyNew Policy Set 1 >> Authentication Rule 1
Selected Authorization ProfileDeny All Shell Profile

 

Authentication Details

Generated Time2019-09-03 16:09:23.858000 +05:30
Logged Time2019-09-03 16:09:23.858
Epoch Time (sec)1567507163
ISE NodeISE2673
Message TextFailed-Attempt: Authentication failed
Failure Reason13036 Selected Shell Profile is DenyAccess
ResolutionCheck whether the Device Administration Authorization Policy rules are correct
Root CauseSelected Shell Profile fails for thsi request
Usernamenetadmin@gmail.com
Network Device NameCOE_3850_2
Network Device IP192.168.40.8
Network Device GroupsIPSEC#Is IPSEC Device#No,Location#All Locations,Device Type#All Device Types
Device TypeDevice Type#All Device Types
LocationLocation#All Locations
Device Porttty2
Remote Address192.168.41.73

 

TACACS Protocol

Authentication ActionLogin
Authentication Privilege Level1
Authentication TypeASCII
Authentication ServiceLogin

 

Other Attributes

ConfigVersionId74
Device Port3358
DestinationPort49
UserNamenetadmin@gmail.com
ProtocolTacacs
RequestLatency121
TypeAuthentication
NetworkDeviceProfileIdb0699505-3150-4215-a80e-6753d45bf56c
AuthenticationMethodPAP_ASCII
SelectedAccessServiceDefault Device Admin
IdentityGroupUser Identity Groups:GuestType_Contractor (default)
SelectedAuthenticationIdentityStoresGuest Users
AuthorizationPolicyMatchedRuleDefault
UserTypeGuestUser
CPMSessionID925757830192.168.40.83358Authentication925757830
StepLatency8=2925
Network Device ProfileCisco
IPSECIPSEC#Is IPSEC Device#No
Response{AuthenticationResult=Passed; AuthorizationFailureReason=ShellProfileDenyAuthorization; Authen-Reply-Status=Fail; }

 

 

Attached logs for reference.  

5 REPLIES 5
Highlighted
VIP Advocate

Re: TACACS using Guest Identity store

Hi @melvillec 

 

Did you get a resolution to this? It's an interesting use case for sure!

 

When you create a Guest Type (e..g Contractor) then you specify where to put the MAC address by specifying the Endpoint Identity Group. Do not confuse this with the User Identity Group (Group that is defined and can contain user accounts ... NOT Endpoints (MAC addresses))

This means, that guest accounts do not have a concept of a Guest Group. At best, you could check during Authentication, by looking up the Identity Source Sequence of "Guest Users", and then test whether the authenticating user is found during Authentication.

 

Beginner

Re: TACACS using Guest Identity store

Hi Arnie,

 

Thanks for your reply.

I still haven't got any resolution to this.

 

You are absolutely right as mentioned below that the Guest user identity group will not contain guest endpoint mac addresses, but only users accounts which we manually need to create. I had figured that out after testing.

 

If there was some way that ISE could store the guest user accounts created by the sponsor in an internal group, my use case would have been resolved.

 

I did however create a rule matching the guest user name in the TACACS authorization policy and it worked, but this is not feasible as customer will be creating random users due to which we cant go and make changes in the policy every time he creates an user.

 

Regards,

Melville

VIP Advocate

Re: TACACS using Guest Identity store

Depending on how complex your Policy Sets are, have you considered building a Policy Set that performs Authentication against the "Guest Users", and then for good measure, you could make that an Authorization Rule as well (just for extra assurance that you're authorizing for that specific reason).

 

guest.PNG

Beginner

Re: TACACS using Guest Identity store

Hi Arnie,

 

Thanks for your reply.

I was already using the Guest Users in the ISS.

 

Calling the Guest Users in the authorization policy will apply to all guest users and I will not be able to distinguish them as I need to create different policies for different tacacs users based on shell profiles and command sets.

 

Regards,

Melville

Cisco Employee

Re: TACACS using Guest Identity store


@melvillec wrote:

Hi Arnie,

 

Thanks for your reply.

I was already using the Guest Users in the ISS.

 

Calling the Guest Users in the authorization policy will apply to all guest users and I will not be able to distinguish them as I need to create different policies for different tacacs users based on shell profiles and command sets.

 

Regards,

Melville


Althought not a supported store to TACACS, perhaps this will help looking at the way we did it with Guest?

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-2129827407