Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1310
Views
0
Helpful
5
Replies

TACACS using Guest Identity store

melvillec
Level 1
Level 1

‎09-03-2019 04:25 AM

Hi All,

 

Our customer requires tacacs users to have an expiry date & time and for different ISE admins to create different types of tacacs users.

For this I have created sponsored guests users using the guest type Contractor group.

Now, if I use the network access name as that of the sponsored guest created, the tacacs rule works as required.

However, If I use the Identity group name Contractor, authorisation fails and it hits the default deny access shell profile.

Any idea how to get it working using the Identity Group name

Attached authorisation SS of both conditions.

 

 

PASSED LOG

 

Overview

Request TypeAuthorization
StatusPass
Session KeyISE2673/356880508/180
Message TextDevice-Administration: Command Authorization succeeded
Usernamenetadmin@gmail.com
Authorization PolicyNew Policy Set 1 >> NetAdmin
Shell Profile 
Matched Command SetPermitAll
Command From Deviceenable

 

Authorization Details

Generated Time2019-09-03 16:16:38.118 +5:30
Logged Time2019-09-03 16:16:38.118
Epoch Time (sec)1567507598
ISE NodeISE2673
Message TextDevice-Administration: Command Authorization succeeded
Failure Reason 
Resolution 
Root Cause 
Usernamenetadmin@gmail.com
Network Device NameCOE_3850_2
Network Device IP192.168.40.8
Network Device GroupsIPSEC#Is IPSEC Device#No,Location#All Locations,Device Type#All Device Types
Device TypeDevice Type#All Device Types
LocationLocation#All Locations
Device Porttty2
Remote Address192.168.41.73

Authorization Attributes

All Request Attribues 
All Response Attribues 

 

TACACS Protocol

Authentication MethodNone
Authentication Privilege Level0
Authentication TypeASCII
Authentication ServiceNone

 

Other Attributes

ConfigVersionId74
DestinationIPAddress192.168.40.73
DestinationPort49
UserNamenetadmin@gmail.com
ProtocolTacacs
RequestLatency24
TypeAuthorization
Service-Argumentshell
NetworkDeviceProfileIdb0699505-3150-4215-a80e-6753d45bf56c
AuthenticationIdentityStoreGuest Users
AuthenticationMethodLookup
SelectedAccessServiceDefault Device Admin
SelectedCommandSetPermitAll
IdentityGroupUser Identity Groups:GuestType_Contractor (default)
SelectedAuthenticationIdentityStoresGuest Users
AuthenticationStatusAuthenticationPassed
UserTypeGuestUser
CPMSessionID2429714507192.168.40.83361Authorization2429714507
IdentitySelectionMatchedRuleAuthentication Rule 1
Network Device ProfileCisco
IPSECIPSEC#Is IPSEC Device#No
Response{Author-Reply-Status=PassAdd; }

 

 

 

 

FAILED LOG

 

Overview

Request TypeAuthentication
StatusFail
Session KeyISE2673/356880508/132
Message TextFailed-Attempt: Authentication failed
Usernamenetadmin@gmail.com
Authentication PolicyNew Policy Set 1 >> Authentication Rule 1
Selected Authorization ProfileDeny All Shell Profile

 

Authentication Details

Generated Time2019-09-03 16:09:23.858000 +05:30
Logged Time2019-09-03 16:09:23.858
Epoch Time (sec)1567507163
ISE NodeISE2673
Message TextFailed-Attempt: Authentication failed
Failure Reason13036 Selected Shell Profile is DenyAccess
ResolutionCheck whether the Device Administration Authorization Policy rules are correct
Root CauseSelected Shell Profile fails for thsi request
Usernamenetadmin@gmail.com
Network Device NameCOE_3850_2
Network Device IP192.168.40.8
Network Device GroupsIPSEC#Is IPSEC Device#No,Location#All Locations,Device Type#All Device Types
Device TypeDevice Type#All Device Types
LocationLocation#All Locations
Device Porttty2
Remote Address192.168.41.73

 

TACACS Protocol

Authentication ActionLogin
Authentication Privilege Level1
Authentication TypeASCII
Authentication ServiceLogin

 

Other Attributes

ConfigVersionId74
Device Port3358
DestinationPort49
UserNamenetadmin@gmail.com
ProtocolTacacs
RequestLatency121
TypeAuthentication
NetworkDeviceProfileIdb0699505-3150-4215-a80e-6753d45bf56c
AuthenticationMethodPAP_ASCII
SelectedAccessServiceDefault Device Admin
IdentityGroupUser Identity Groups:GuestType_Contractor (default)
SelectedAuthenticationIdentityStoresGuest Users
AuthorizationPolicyMatchedRuleDefault
UserTypeGuestUser
CPMSessionID925757830192.168.40.83358Authentication925757830
StepLatency8=2925
Network Device ProfileCisco
IPSECIPSEC#Is IPSEC Device#No
Response{AuthenticationResult=Passed; AuthorizationFailureReason=ShellProfileDenyAuthorization; Authen-Reply-Status=Fail; }

 

 

Attached logs for reference.  

Preview file
17 KB
Preview file
16 KB
0 Helpful
5 Replies 5

Arne Bier
VIP
VIP

‎12-02-2019 05:06 PM

Hi @melvillec 

 

Did you get a resolution to this? It's an interesting use case for sure!

 

When you create a Guest Type (e..g Contractor) then you specify where to put the MAC address by specifying the Endpoint Identity Group. Do not confuse this with the User Identity Group (Group that is defined and can contain user accounts ... NOT Endpoints (MAC addresses))

This means, that guest accounts do not have a concept of a Guest Group. At best, you could check during Authentication, by looking up the Identity Source Sequence of "Guest Users", and then test whether the authenticating user is found during Authentication.

 

0 Helpful

melvillec
Level 1
Level 1
In response to Arne Bier

‎12-02-2019 09:07 PM

Hi Arnie,

 

Thanks for your reply.

I still haven't got any resolution to this.

 

You are absolutely right as mentioned below that the Guest user identity group will not contain guest endpoint mac addresses, but only users accounts which we manually need to create. I had figured that out after testing.

 

If there was some way that ISE could store the guest user accounts created by the sponsor in an internal group, my use case would have been resolved.

 

I did however create a rule matching the guest user name in the TACACS authorization policy and it worked, but this is not feasible as customer will be creating random users due to which we cant go and make changes in the policy every time he creates an user.

 

Regards,

Melville

0 Helpful

Arne Bier
VIP
VIP
In response to melvillec

‎12-03-2019 03:45 AM

Depending on how complex your Policy Sets are, have you considered building a Policy Set that performs Authentication against the "Guest Users", and then for good measure, you could make that an Authorization Rule as well (just for extra assurance that you're authorizing for that specific reason).

 

guest.PNG

0 Helpful

melvillec
Level 1
Level 1
In response to Arne Bier

‎12-03-2019 06:15 AM

Hi Arnie,

 

Thanks for your reply.

I was already using the Guest Users in the ISS.

 

Calling the Guest Users in the authorization policy will apply to all guest users and I will not be able to distinguish them as I need to create different policies for different tacacs users based on shell profiles and command sets.

 

Regards,

Melville

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to melvillec

‎12-03-2019 09:33 AM

@melvillec wrote:

Hi Arnie,

 

Thanks for your reply.

I was already using the Guest Users in the ISS.

 

Calling the Guest Users in the authorization policy will apply to all guest users and I will not be able to distinguish them as I need to create different policies for different tacacs users based on shell profiles and command sets.

 

Regards,

Melville

Althought not a supported store to TACACS, perhaps this will help looking at the way we did it with Guest?

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-2129827407

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents