Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2671
Views
0
Helpful
3
Replies

Cisco ASA TACACS+ with ISE

Go to solution
vsurresh
Level 1
Level 1

‎01-25-2021 05:28 AM - edited ‎01-25-2021 05:57 AM

Hello.

 

I have been testing ASA tacacs+ with ISE for authentication and authorization. I am able to SSH into the ASA using a user exists in AD. After I enabled aaa authorization command ISE-TACACS, I can not run any commands. ISE TACACS+ reports show the username as 'INVALID' for type: Authorization. (Please see the screenshots)

  • I can SSH and see the ISE report that the correct policy is assigned. 
  • When I run any command, tacacs+ request goes to ISE with the username of 'INVALID' and eventually fails. 

 

asa-01# show interface ip brief 
Command authorization failed
aaa-server ISE-TACACS protocol tacacs+
aaa-server ISE-TACACS (MGMT) 10.10.0.100
  key ******

aaa authentication ssh console ISE-TACACS LOCAL
aaa authorization command ISE-TACACS

EDIT - If I disclose invalid usernames then the username shows as 'enable_15'

 

Any idea?

Thanks

Labels:
Preview file
77 KB
Preview file
146 KB
Preview file
91 KB
Preview file
104 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-25-2021 06:01 AM

According to your screenshots it looks like you are using the default shell profile.  Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario.  Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles.  Then in your authz policy reference that new shell profile instead of the default one.  

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-25-2021 06:01 AM

According to your screenshots it looks like you are using the default shell profile.  Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario.  Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles.  Then in your authz policy reference that new shell profile instead of the default one.  

0 Helpful

Go to solution
vsurresh
Level 1
Level 1
In response to Mike.Cifelli

‎01-25-2021 06:04 AM

Thanks, Mike. I did that too but the issue is the same. (screenshot attached) 

I don't understand why the command authorization request is sent out with the username of 'enable_15'.

Thanks

Preview file
136 KB
0 Helpful

Go to solution
vsurresh
Level 1
Level 1
In response to Mike.Cifelli

‎01-25-2021 06:09 AM

Sorry. Creating a shell profile actually fixed the issue. It took 1 or 2 minutes.

Appreciate your help. 

 

0 Helpful
Customers Also Viewed These Support Documents