10-13-2016 06:47 AM - edited 03-11-2019 12:08 AM
We're trying to use AD group membership as part of authentication rules for the TACACS+ policy sets. However, while we can write such a rule (<our AD>:ExternalGroups EQUALS <AD group>), it immediately replaces the AD group name with the SID, and the rule just doesn't work.
We can cue off username, device type, location etc. but not the AD group membership. This works fine in the authorization section of the same policy set.
Interestingly, we also don't seem to be able to refer to internal account identity group memberships in the authentication rules for TACACS+.
Is this supposed to work and I'm just missing something obvious? Are there any documented limitations that I missed?
10-15-2016 06:01 AM
The authentication rule doesn't have AD group option to use. However you can use identity store for internal or AD.
It works like this only. Still if you have any concerns. Please let me know.
Regards
Gagan
ps : rate if it helps!!!
10-17-2016 06:19 AM
That's not entirely how our install behaves. When you build an authentication rule, and you just browse the available options, AD isn't there. But if instead you type in "External" in the search box, the options appear and are selectable and even correctly offer the values in the rule creation -- but the rule won't work right.
And as mentioned, internal group memberships don't appear work either. I'm failing to understand how you can write a real policy without some kind of group membership option.
10-15-2016 02:16 PM
Can you post a screen shot of your Authentication and Authorization rules?
10-17-2016 06:29 AM
Here's a pared down example of an auth rule that doesn't work.
The authorization rule is actually a compound condition that basically has the same rule as the authentication policy. I can go and write it out.
It doesn't matter whether you put the rule in a compound condition and use that for authentication or authorization, or write the rule in the policy set. Auth never works, authz always works.
(Initially we wrote the rules as compound conditions to make it cleaner.)
10-17-2016 08:38 AM
Update from our related TAC case: ISE cannot use any parameters such as group memberships, internal or external, during the authentication phase. You can only use group memberships during authorization.
This is of course really bad, since it means we can't prevent a valid AD or internal credential needed for RADIUS from also logging into a switch based on group membership, so we'll be pursuing an enhancement request with our account team. We don't want to have to list individual IDs to control access in authentication policy.
10-17-2016 11:16 AM
Hey Toivo,
You actually only want to specify AD groups in your authorization policy and not your authentication policy. The authentication policy is really only used to specify the authentication protocols you want to allow and the user database you want to use. For device admin, these settings are not as important as it would be in a NAC deployment and I typically only use the default rule. I would delete the AD Group authentication rule that you created and use the default rule. Of course, change the user database from denyaccess to the identity sequence that you configured. From there, make sure that you have both your AD and internal user database selected in your TACACS+ identity sequence and your configuration should work.
10-17-2016 11:24 AM
Yes you are correct in this. You can restrict them from doing anything after they login, but they will be able to initially login with their credentials.
10-17-2016 02:26 PM
I appreciate the reply.
Yeah, and that's not really OK with either me nor our InfoSec group. The only workaround I've found is to craft an auth rule that individually lists allowed usernames, but that's neither scalable, nor sufficiently automatic for things like personnel changes (hires, fires) in AD. I thought I was missing something obvious, but apparently ISE just doesn't have the capability currently.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide