cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1125
Views
1
Helpful
4
Replies
Highlighted
Cisco Employee

AAA issues for ISE tacacs server

Hi experts,

I worked on ISE2.2 tacacs configuration for customer and have two issues below.

1. I assign "network-operator" role to specific AD group users by TACACS profiles. The user is assigned "network-operator" role successfully when login to nexus device, but still can execute all commands. When I disconnected TACACS server, user is authenticated and authorized locally and network-operator user has read-only permission correctly. Below is configuration.

aaa authentication login default group ise

aaa authentication login console group ise none

aaa authorization config-commands default group ise local

aaa authorization commands default group ise local

aaa accounting default group ise

2. "aaa authorization exec authentication-server auto-enable" is used for ASA AAA configuration. User through ssh session can enter exec mode(#) directly when assigned privilege 15 to this user. But the same user through console session only enter user mode(>).Below is configuration.

aaa authentication ssh console ise LOCAL

aaa authentication serial console ise LOCAL

aaa authentication enable console ise LOCAL

aaa authorization command ise LOCAL

aaa accounting command ise

aaa authorization exec authentication-server auto-enable


I am not sure if I miss something for those two issues.


br,

Martin


Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: AAA issues for ISE tacacs server

T+ command authorization is optional for both types of devices.

For NX-OS, if you want to use the user roles only, then remove the two lines "aaa authorization config-commands ..." and "aaa authorization commands ...". If you want ISE to perform T+ command authorization, then create the command sets and add them to the T+ authorization policy rules.

Similar applied to ASA CLI. If you want "local", then use "aaa authorization command LOCAL" (with ise in it).

As to your point #2, the "EXEC Authorization" (aka the aut-enable option) in ASA is for SSH/Telnet (TTY/VTY) accesses only. That is why console login does not go directly to EXEC.

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: AAA issues for ISE tacacs server

you might want to follow this link - How To: ISE TACACS+ Configuration for ASA Network Devices.

Let me know if this helps.

Thanks,

Nidhi

Highlighted
Cisco Employee

Re: AAA issues for ISE tacacs server

Hi Nidhi,

Thank you for your document. But it does not resolve my two issues. Yesterday I tried again on Nexus 3K and 1000v for my first issue, ASA5585 and ASAv for my second issue, the result is the same.

Highlighted
Cisco Employee

Re: AAA issues for ISE tacacs server

T+ command authorization is optional for both types of devices.

For NX-OS, if you want to use the user roles only, then remove the two lines "aaa authorization config-commands ..." and "aaa authorization commands ...". If you want ISE to perform T+ command authorization, then create the command sets and add them to the T+ authorization policy rules.

Similar applied to ASA CLI. If you want "local", then use "aaa authorization command LOCAL" (with ise in it).

As to your point #2, the "EXEC Authorization" (aka the aut-enable option) in ASA is for SSH/Telnet (TTY/VTY) accesses only. That is why console login does not go directly to EXEC.

View solution in original post

Highlighted
Cisco Employee

Re: AAA issues for ISE tacacs server

Hi Lai,

Thank you for clarification.