Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23777
Views
5
Helpful
4
Replies

13036 Selected Shell Profile is DenyAccess

Go to solution
deepakramanath
Level 1
Level 1

‎11-26-2017 09:57 PM

Hi All,

Subsequent to my earlier question, I have managed a Avaya switch talk to the CISCO ISE 2.3 Tacacs+ server. When I try logging into the switch, the access is basically denied with the message "Permission denied, please try again".

In the CISCO ISE Tacacs+ logs, I could look at the steps that have been performed and where the access gets failed. The step that its failing is: 13036 Selected Shell Profile is DenyAccess

I have been searching on Google for this 13036 and DenyAccess, but haven't been able to successfully troubleshoot.

Any help in this regard would be highly appreciated.

3 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-27-2017 01:05 PM

Hi Deepak,

Please check the authentication policy and authorization policy.

In the authorization policy, make sure you allow access in your policy via shell profile. If authentication fails then you will get deny access as well.

Please check out ISE Device Administration (TACACS+)

for detailed information how to configure ISE for TACACS+.

Thanks

Krishnan

View solution in original post

4 Replies 4

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-27-2017 01:05 PM

Hi Deepak,

Please check the authentication policy and authorization policy.

In the authorization policy, make sure you allow access in your policy via shell profile. If authentication fails then you will get deny access as well.

Please check out ISE Device Administration (TACACS+)

for detailed information how to configure ISE for TACACS+.

Thanks

Krishnan

Go to solution
deepakramanath
Level 1
Level 1
In response to kthiruve

‎11-27-2017 03:23 PM

Hi Krishnan,

Thanks for your response. Since I am very new to ISE, I will provide a brief of what I have configured for AA. Please do feel free to correct me.

In the Device Administration -> Policy Elements -> Results -> TACACS Profiles, I have created a new one, called TACACS Profile. In here, I have chosen Common Task Type to be Shell and both Default Privilege and Maximum Privilege to be 15

In the Device Administration -> Policy Elements -> Results -> TACACS Command Sets, I have created a new one, called TACACS Command Sets and I have ticked the option, "Permit any command that is not listed below"

In the Policy -> Policy Sets, I have created two policies as listed below:

Policy Name: Wired-Avaya-Switch

Conditions: DEVICE.Device Type = All Devices Types#Avaya Switch

Allowed Protocols: avaya-switch

Policy Name: Avaya-Switch-Location

Condition: DEVICE.Location = All Locations#Avaya-Switch-Location

Allowed Protocols: avaya-switch

Please note that the avaya-switch protocol has the following Authentication Protocols Enabled:

Allow PAP/ASCII, Allow CHAP, Allow MS-CHAPv1

I'm not exactly sure where I can specify the shell profile access for authorisation as you have suggested.

Thanks

Deepak

0 Helpful

Go to solution
deepakramanath
Level 1
Level 1
In response to kthiruve

‎11-27-2017 08:45 PM

Hi Krishnan,

I have figured out where the authorisation policies can be specified (via the view option in the policy set). Now, I can allow or deny a shell access for a internal user.

The second issue that I'm facing now is, to provide limited shell access to a particular user. To test this scenario, I firstly created a Guest-User identity group and added a guest user (Eg, Guest_User1)

Next, I created a TACACS+ command set (TACACS-Guest-Command-Set) with Grant: PERMIT -> Command: ping. Haven't ticket the option "Permit any command that is not listed below). I believe with this, the Guest_User1 when associated with TACACS-Guest-Command-Set in policy should be able to access only ping.

Next, I created a TACACS Profile (TACACS_Profile_Guest). Here, common task as shell with Default Privilege: 1 and Maximum Privilage: 15

Now I go the policy set that works, under which, I create a new authorisation policy as follows:

Rule Name: Guest-User

Conditions: IdentityGroup = User Identity Groups: Guest-User

Command Sets:  TACACS-Guest-Command-Set

Shell Profiles: TACACS_Profile_Guest

The authentication is successful for the Guest_User1, while the authorisation does not seem to block all the commands expect ping. I can basically run all of them.

Any reason why this might be happening?

Thanks

Deepak

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to deepakramanath

‎11-28-2017 01:59 AM

I think here is the key :

0 Helpful
Customers Also Viewed These Support Documents