Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2364
Views
1
Helpful
4
Replies

AAA issues for ISE tacacs server

Go to solution
xili5
Cisco Employee
Cisco Employee

‎12-23-2017 01:50 AM

Hi experts,

I worked on ISE2.2 tacacs configuration for customer and have two issues below.

1. I assign "network-operator" role to specific AD group users by TACACS profiles. The user is assigned "network-operator" role successfully when login to nexus device, but still can execute all commands. When I disconnected TACACS server, user is authenticated and authorized locally and network-operator user has read-only permission correctly. Below is configuration.

aaa authentication login default group ise

aaa authentication login console group ise none

aaa authorization config-commands default group ise local

aaa authorization commands default group ise local

aaa accounting default group ise

2. "aaa authorization exec authentication-server auto-enable" is used for ASA AAA configuration. User through ssh session can enter exec mode(#) directly when assigned privilege 15 to this user. But the same user through console session only enter user mode(>).Below is configuration.

aaa authentication ssh console ise LOCAL

aaa authentication serial console ise LOCAL

aaa authentication enable console ise LOCAL

aaa authorization command ise LOCAL

aaa accounting command ise

aaa authorization exec authentication-server auto-enable


I am not sure if I miss something for those two issues.


br,

Martin


1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-25-2017 06:25 PM

T+ command authorization is optional for both types of devices.

For NX-OS, if you want to use the user roles only, then remove the two lines "aaa authorization config-commands ..." and "aaa authorization commands ...". If you want ISE to perform T+ command authorization, then create the command sets and add them to the T+ authorization policy rules.

Similar applied to ASA CLI. If you want "local", then use "aaa authorization command LOCAL" (with ise in it).

As to your point #2, the "EXEC Authorization" (aka the aut-enable option) in ASA is for SSH/Telnet (TTY/VTY) accesses only. That is why console login does not go directly to EXEC.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎12-23-2017 06:33 AM

you might want to follow this link - How To: ISE TACACS+ Configuration for ASA Network Devices.

Let me know if this helps.

Thanks,

Nidhi

0 Helpful

Go to solution
xili5
Cisco Employee
Cisco Employee
In response to Nidhi

‎12-25-2017 06:07 PM

Hi Nidhi,

Thank you for your document. But it does not resolve my two issues. Yesterday I tried again on Nexus 3K and 1000v for my first issue, ASA5585 and ASAv for my second issue, the result is the same.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-25-2017 06:25 PM

T+ command authorization is optional for both types of devices.

For NX-OS, if you want to use the user roles only, then remove the two lines "aaa authorization config-commands ..." and "aaa authorization commands ...". If you want ISE to perform T+ command authorization, then create the command sets and add them to the T+ authorization policy rules.

Similar applied to ASA CLI. If you want "local", then use "aaa authorization command LOCAL" (with ise in it).

As to your point #2, the "EXEC Authorization" (aka the aut-enable option) in ASA is for SSH/Telnet (TTY/VTY) accesses only. That is why console login does not go directly to EXEC.

0 Helpful

Go to solution
xili5
Cisco Employee
Cisco Employee
In response to hslai

‎12-25-2017 08:10 PM

Hi Lai,

Thank you for clarification.

0 Helpful
Customers Also Viewed These Support Documents