Yes, I'm seeing green across the board when looking at the associated user id. They are tracked through the proper identity stores and then through the proper profiles.

ej

Here are the screenshots, hopefully they are the correct ones, and the aaa configuration.

I'm sure there's some mismatch in my policies and profiles but I'm not finding.

ej

Thank you for providing the details EJ. Overall things look good with the exception:

1. I see that you have a "default device admin" access policy. I am wondering if you are perhaps hitting that rule and not the one that you created. Can you confirm if this rule is being used? If not you should disable. The rules are processed in a top-down fashion, thus you should place your more specific rules towards the top. 

2. Can you post a screenshot of your "Service Selection Rules" screen?

3. In your "command sets" screen. You have the box "permit any commands that is not listed in the table below" This might be OK but just making sure. Usually, for limited access, you block all commands and permit the commands that are in the table.

Thank you for rating helpful posts!

I took your advice, and was wondering if positioning of the rules would make a difference.

1. Disabled the Default Device Admin and Default Network Access rules and lowered them in the order to the bottom of the list. The target account was still able to login and had full control; however, the users attached to the Default Device Admin were not.

2. Enabled the rules and the same result. So I moved it backup the list and everything went back to normal for all users; however, at no time was the target user prevented from accessing everything normally.

3. Revisited the checkbox on the Permit/Deny commands of the command sets and that has not changed. No matter how I populate it, with explicit denies or permits check the box or uncheck the box nothing changes.

Singh I finally got the device to start sending logs to the server a couple of days ago and found information in it that states it's using the Default Device Admin rule. Which is a bit confusing since I turned it off and moved it so it shouldn't have accessed it but the one I created specifically for the group this user is in. The confusing part is when I disabled that rule that user was till able to access it but others were not.

Definitely need to revisit my my maps and rules.

Log snippet:

2015-06-24 05:44:18 Local7.Info ############ Jun 24 05:44:18 yacs001 CSCOacs_Policy_Diagnostics 0007618767 1 0 2015-06-24 05:44:18.638 +09:00 0000337297 15004 INFO Policy: Matched rule, ACSVersion=acs-5.5.0.46-B.723, ConfigVersionId=48, Device IP Address=########, UserName=cbench, Protocol=Tacacs, Time And Date=1435092258, PolicyType=ServiceSelectionPolicy, AcsSessionID=yacs001/224215809/23355, Response={RuleIndex=1; RuleName=Default Device Admin; }

2015-06-24 05:44:18 Local7.Info ###.###.###.### Jun 24 05:44:18 yacs001 CSCOacs_Authentication_Flow_Diagnostics 0007618768 1 0 2015-06-24 05:44:18.638 +09:00 0000337299 22078 INFO Authentication: Audit session was not found., ACSVersion=acs-5.5.0.46-B.723, ConfigVersionId=48, Device IP Address=###.###.###.###, UserName=cbench, AcsSessionID=yacs001/224215809/23355, SelectedAccessService=Default Device Admin, AuditSessionId=cbench:###.###.###.###:tty1:###.###.###.###,

2015-06-24 05:44:18 Local7.Notice ###.###.###.### Jun 24 05:44:18 yacs001 CSCOacs_TACACS_Accounting 0007618769 1 0 2015-06-24 05:44:18.638 +09:00 0000337301 3303 NOTICE Tacacs-Accounting: TACACS+ Accounting WATCHDOG, ACSVersion=acs-5.5.0.46-B.723, ConfigVersionId=48, Device IP Address=###.###.###.###, RequestLatency=1, Type=Accounting, Privilege-Level=15, Service=Login, User=cbench, Port=tty1, Remote-Address=###.###.###.###, Authen-Method=TacacsPlus, AVPair=task_id=4431, AVPair=timezone=UTC, AVPair=start_time=1435091872, AVPair=pre-session-time=0, AVPair=elapsed_time=386, AVPair=stop_time=1435092258, AVPair=stop_time=1435092258, AcctRequest-Flags=Watchdog, Service-Argument=shell, AcsSessionID=yacs001/224215809/23355, SelectedAccessService=Default Device Admin, Step=13006 , Step=15008 , Step=15004 , Step=15012 , Step=22078 , Step=13035 , NetworkDeviceName=3750 Switches, NetworkDeviceGroups=RADIUS Server:RADIUS Server, NetworkDeviceGroups=SRFYokosukaNetDevGrp:SRFYokoNDG, NetworkDeviceGroups=Device Type:All Device Types:Switches:3750s, NetworkDeviceGroups=Location

Hmm, yeah that is strange. Let me ask you this:

1. Can you post a screenshot of your "Service Selection Rules" screen?

2. Do you see "Hit Counts" for the specific policy that you had created? 

Here is the screen shot and as you can see there are hits for all but default network access which I disabled anyway.

The hit counts may be showing up because I had moved the rules up and down the list.

ej

You should be able to clear the counters and test again. As of right now, the default rule will always be hit since it is only "condition" is the protocol "tacacs+" I have set this up in my lab and I am also using the default rule and inside it I have different authentication/authorization rules. If you don't like that solution you would have to either move that rule again or make it a bit more specific. Basically you have to make it unique enough where the test authentications won't hit that rule. 

My understanding of how these rules work is similar to that of an ACL. Once it hits the first match it doesn't go any further. But based on your line of making it more specific would mean add more checks to a given rule that aren't mirrored in another rule? Sorry but I may be overthinking this.

ej

Yes, your understanding is correct. Once a match occurs the process stops. Making the rule more specific/unique ensures that you won't have conflicts. For instance, you have the default rule that has no conditions, thus, everything will match that and therefore the rules is at the bottom. 

Another example, let's say you want to create two rules. One is based on members from "domain admins" AD group and the other one is based on "domain users" AD group. Placing the "domain users" rule above the "domain admins" will prevent the "domain admins" rule from ever being hit. Why? Well because even "domain admins" are part of "domain users" but not vice-versa. As a result, you would want to place the "domain admins" rule above the "domain users" one. 

I hope this makes sense!

AH HA!!! I think I get it.

I just went into the Default Device Admin, changed it to Rule base, how did I miss that radio button, and created the same rules in there that I had done separately.

check the attachment

So by enabling that setting you are basically given the flexibility to look at different identity sources based on different rules rather than just having a default one. Identity in ACS really = Authentication. Not sure why Cisco did not call it that :) 

Once the authentication passes then the session proceeds to the authorization table. This is where you would restrict access via command sets and authorization profiles. 

Let me know how it works!

Ok I know why it's breaking and what is breaking it.

Now I just need to figure out how to create the policies so that rule flow works.

The documents I have read so far don't seem to explain rule flow in the way I need to understand it. The course material isn't as detailed as I would like it but I'm sure I'll find the right information.

You folks wouldn't happen to know of any good locations to get better acquainted on this would you ?

I have found some videos, Lab Minutes, and a couple of others that could be fruitful.

ej