Solved: Re: Authorization Error

jaert.aguiar · ‎06-07-2018

Hello,

I'm trying to connect to an ethernet switch that is configurated to access the ISE CISCO server.

Before I start the tests with ISE CISCO, I used the TACACS.net server. I configured in this server a local user and defined the default profile Authorization Policy with this parameter: priv-lvl=7. The authentication and authorization were OK to TACACS.net server.

Now, I'm trying to configurate the access to the ISE CISCO. I have downloaded the ISE CISCO Evaluation virtual machine and configured access:

1 - Definition of Network Device

2 - Definitiion of TACACS Profile with rules to authentication and authorization

I tried to login in the ethernet switch using ISE CISCO like a TACACS server and received the error in the authorization. The authentication as OK.

I checked the authentication report and was used the policy that I defined.

In the authorization report, the column "Authorization Policy" is empty.

How can I define the ISE Server to apply the authorization policy and avoid the error?

Dustin Anderson · ‎06-07-2018

ok, there are no hits on the rules, and it fails with an invalid request. Sounds like the switch is not sending the request correctly.

What is the switch you are using, what brand and model?

You may want to dry different device and TACACS modes under the ISE network devices.

View solution in original post

Timothy Abbott · ‎06-07-2018

Hi,

Have you seen our how-to guides on setting up TACACS+ support in ISE for IOS devices?

https://communities.cisco.com/docs/DOC-64031

Regards,

-Tim

jaert.aguiar · ‎06-07-2018

Hello,

I have seen the tutorials, but I'm trying to connect a ethernet swith from NR manufacturer that is used in a energy substation.

This ethernet switch has just a place where we can put the TACACS server IP, port, timeout and shared key.

I would like to understant why the ISE CISCO not run any authorization policy, even the default policy.

In some youtube videos, I could see that when there is a error of authorization, is showed what policy was tested.

Dustin Anderson · ‎06-07-2018

So authentication is showing green, can you post the step data?

Authorization is usually checking commands against the set command set, so will not see a policy.

Here is a snipit from mine. Authentication show polict, authz does not.

jaert.aguiar · ‎06-07-2018

Hello Dustin,

Thanks for your return.

I could see in your report that the column Authorization Policy has values when the type is "Authorization".

This is the point.

In my case, this column never has values, indicating that the Authorization Police is never checked.

jaert.aguiar · ‎06-07-2018

This is my Tacacs Live Log...

Dustin Anderson · ‎06-07-2018

OK, I was mis-interpreting, I get what you are saying now.

1: Does authentication show a profile?

I'm not sure what version of ISE you have, I have 2.3, so may be somewhat different.

if you go to work center/Device admin policy sets, you should have the default. I'm assuming you have made a rule under that for the switch to hit. Below is mine for an NX-OS device.

Now, for one of the ones you have without the policy, can you click on the details. Can you post the step data omitting any personal info. An example of mine is below. Do you see it hitting a permit rule?

13005 Received TACACS+ Authorization Request - my.domain

15049 Evaluating Policy Group - networker

15008 Evaluating Service Selection Policy - my.domain

15041 Evaluating Identity Policy - my.domain

22072 Selected identity source sequence - All_User_ID_Stores

15013 Selected Identity Source - my.domain

24432 Looking up user in Active Directory - my.domain

24325 Resolving identity - networker

24313 Search for matching accounts at join point - my.domain

24319 Single matching account found in forest - my.domain

24323 Identity resolution detected single matching account

22037 Authentication Passed

15036 Evaluating Authorization Policy

24432 Looking up user in Active Directory

24325 Resolving identity

24313 Search for matching accounts at join point

24319 Single matching account found in forest

24323 Identity resolution detected single matching account

24355 LDAP fetch succeeded

24416 User's Groups retrieval from Active Directory succeeded

15048 Queried PIP - my.domain.ExternalGroups

15048 Queried PIP - TACACS.User

15048 Queried PIP - DEVICE.Device Type

15048 Queried PIP - Network Access.UserName

15018 Selected Command Set

13024 Command matched a Permit rule

13034 Returned TACACS+ Authorization Reply

jaert.aguiar · ‎06-07-2018

My version is 2.4.

Below, some configurations...

jaert.aguiar · ‎06-07-2018

Below some configurations...

Dustin Anderson · ‎06-07-2018

ok, there are no hits on the rules, and it fails with an invalid request. Sounds like the switch is not sending the request correctly.

What is the switch you are using, what brand and model?

You may want to dry different device and TACACS modes under the ISE network devices.

jaert.aguiar · ‎06-07-2018

The energy substation is using an ethernet switch PCS-9882GD, from NR Company.

This company just implement this TACACS function now and I tested with TACACS.NET server without problems.

But you can be right, they must to check the authorization request.

I will check with others devices.

Thanks a lot for your support.

Dustin Anderson · ‎06-07-2018

No problem, you can maybe also contact NR Company to see if they have implemented TACACS with ISE.