01-25-2021 05:28 AM - edited 01-25-2021 05:57 AM
Hello.
I have been testing ASA tacacs+ with ISE for authentication and authorization. I am able to SSH into the ASA using a user exists in AD. After I enabled aaa authorization command ISE-TACACS, I can not run any commands. ISE TACACS+ reports show the username as 'INVALID' for type: Authorization. (Please see the screenshots)
asa-01# show interface ip brief Command authorization failed
aaa-server ISE-TACACS protocol tacacs+ aaa-server ISE-TACACS (MGMT) 10.10.0.100 key ****** aaa authentication ssh console ISE-TACACS LOCAL aaa authorization command ISE-TACACS
EDIT - If I disclose invalid usernames then the username shows as 'enable_15'
Any idea?
Thanks
Solved! Go to Solution.
01-25-2021 06:01 AM
According to your screenshots it looks like you are using the default shell profile. Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario. Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles. Then in your authz policy reference that new shell profile instead of the default one.
01-25-2021 06:01 AM
According to your screenshots it looks like you are using the default shell profile. Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario. Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles. Then in your authz policy reference that new shell profile instead of the default one.
01-25-2021 06:04 AM
01-25-2021 06:09 AM
Sorry. Creating a shell profile actually fixed the issue. It took 1 or 2 minutes.
Appreciate your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide