Solved: After upgrade to ISE2.7 old Catalysts stop RADIUS authZ priv-lvl=15

Filip Po · ‎08-18-2021

Hello, please look at the debug output which caused Authorization failure for users with priv-lvl=15 setup.

ISE doesn't see any problem and sends av-pairs to switch, but Catalyst does not allow authorization.

What changed to the RADIUS from ISE 2.6 to ISE2.7? What is sends to the device and the Catalyst does not understand it?

ISE as the result configuration, sends to the Device:

Access Type = ACCESS_ACCEPT
Service-Type = 1
cisco-av-pair = shell:priv-lvl=15

And the debug output, as a result of Authorization failed sends:

Aug 18 14:08:49: AAA: parse name=tty1 idb type=-1 tty=-1
Aug 18 14:08:49: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Aug 18 14:08:49: AAA/MEMORY: create_user (0x8) user='' ruser='' port='tty1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1
Aug 18 14:08:49: AAA/AUTHEN/START (): port='tty1' list='' action=LOGIN service=LOGIN
Aug 18 14:08:49: AAA/AUTHEN/START (): using "default" list
Aug 18 14:08:49: AAA/AUTHEN/START (): Method=radius (radius)
Aug 18 14:08:49: AAA/AUTHEN (): status = GETUSER
Aug 18 14:08:51: AAA/AUTHEN/CONT (): continue_login (user='(undef)')
Aug 18 14:08:51: AAA/AUTHEN (): status = GETUSER
Aug 18 14:08:51: AAA/AUTHEN (): Method=radius (radius)
Aug 18 14:08:51: AAA/AUTHEN (): status = GETPASS
Aug 18 14:08:54: AAA/AUTHEN/CONT (): continue_login (user='USERNAME')
Aug 18 14:08:54: AAA/AUTHEN (): status = GETPASS
Aug 18 14:08:54: AAA/AUTHEN (): Method=radius (radius)
Aug 18 14:08:54: RADIUS: ustruct sharecount=1
Aug 18 14:08:54: RADIUS: added cisco VSA 2 len 4 "tty1"
Aug 18 14:08:54: RADIUS: Initial Transmit tty1 id 73 >:1812, Access-Request, len 100
Aug 18 14:08:54: Attribute 4 6 <any_number>
Aug 18 14:08:54: RADIUS: Received from id 73 <ise_ip_address>:1812, Access-Accept, len 342
Aug 18 14:08:54: Attribute 1 17 <any_number>
Aug 18 14:08:54: RADIUS: saved authorization data for user 123 at 234
Aug 18 14:08:54: AAA/AUTHEN (): status = PASS
Aug 18 14:08:54: tty1 AAA/AUTHOR/EXEC (): Port='tty1' list='' service=EXEC
Aug 18 14:08:54: AAA/AUTHOR/EXEC: tty1 () user='USERNAME'
Aug 18 14:08:54: tty1 AAA/AUTHOR/EXEC (): send AV service=shell
Aug 18 14:08:54: tty1 AAA/AUTHOR/EXEC (): send AV cmd*
Aug 18 14:08:54: tty1 AAA/AUTHOR/EXEC (): found list "default"
Aug 18 14:08:54: tty1 AAA/AUTHOR/EXEC (): Method=radius (radius)
Aug 18 14:08:54: RADIUS: cisco AVPair ":AuthenticationIdentityStore=Internal Users"
Aug 18 14:08:54: RADIUS: cisco AVPair ":FQSubjectName=<fq>#USERNAME"
Aug 18 14:08:54: RADIUS: cisco AVPair ":UniqueSubjectID=<uniqueid>"
Aug 18 14:08:54: RADIUS: cisco AVPair "shell:priv-lvl=15"
Aug 18 14:08:54: AAA/AUTHOR (): Post authorization status = PASS_ADD
Aug 18 14:08:54: AAA/AUTHOR/EXEC: Processing AV service=shell
Aug 18 14:08:54: AAA/AUTHOR/EXEC: Processing AV cmd*
Aug 18 14:08:54: AAA/AUTHOR/EXEC: Processing AV AuthenticationIdentityStore=Internal Users
Aug 18 14:08:54: AAA/AUTHOR/EXEC: received unknown mandatory AV: AuthenticationIdentityStore=Internal Users
Aug 18 14:08:54: AAA/AUTHOR/EXEC: Authorization FAILED
Aug 18 14:08:56: tty1 AAA/DISC: 9/"NAS Error"
Aug 18 14:08:56: tty1 AAA/DISC/EXT: 1002/"Unknown"
Aug 18 14:08:56: AAA/MEMORY: free_user () user='USERNAME' ruser='' port='tty1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=1

Catalyst is with IOS version 12.1. I thing this error could be an error, but I do not know what to repair on ISE side, do you? : "AAA/AUTHOR/EXEC: received unknown mandatory AV: AuthenticationIdentityStore=Internal Users"

Thank you.

hslai · ‎08-23-2021

ISE 3.0 Patch 3 has the fix for CSCvy74456

As for ISE 2.7, it's coming in Patch 5.

View solution in original post

hslai · ‎08-18-2021

CSCvy74456 is what you are hitting.

Filip Po · ‎08-23-2021

The workaround is: DO NOT use a priv-lvl=15 RADIUS cisco-av-pair argument and after successful Authorization, as a non-level-15 user do an enable to shift the privilege of the user.

But I am hopefully waiting for the patch of ISE3.0.

hslai · ‎08-23-2021

ISE 3.0 Patch 3 has the fix for CSCvy74456

As for ISE 2.7, it's coming in Patch 5.