cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

435
Views
0
Helpful
3
Replies
vsurresh
Beginner

Cisco ASA TACACS+ with ISE

Hello.

 

I have been testing ASA tacacs+ with ISE for authentication and authorization. I am able to SSH into the ASA using a user exists in AD. After I enabled aaa authorization command ISE-TACACS, I can not run any commands. ISE TACACS+ reports show the username as 'INVALID' for type: Authorization. (Please see the screenshots)

  • I can SSH and see the ISE report that the correct policy is assigned. 
  • When I run any command, tacacs+ request goes to ISE with the username of 'INVALID' and eventually fails. 

 

asa-01# show interface ip brief 
Command authorization failed
aaa-server ISE-TACACS protocol tacacs+
aaa-server ISE-TACACS (MGMT) 10.10.0.100
  key ******

aaa authentication ssh console ISE-TACACS LOCAL
aaa authorization command ISE-TACACS

EDIT - If I disclose invalid usernames then the username shows as 'enable_15'

 

Any idea?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Mike.Cifelli
VIP Advocate

According to your screenshots it looks like you are using the default shell profile.  Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario.  Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles.  Then in your authz policy reference that new shell profile instead of the default one.  

View solution in original post

3 REPLIES 3
Mike.Cifelli
VIP Advocate

According to your screenshots it looks like you are using the default shell profile.  Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario.  Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles.  Then in your authz policy reference that new shell profile instead of the default one.  

View solution in original post

Thanks, Mike. I did that too but the issue is the same. (screenshot attached) 

I don't understand why the command authorization request is sent out with the username of 'enable_15'.

Thanks

Sorry. Creating a shell profile actually fixed the issue. It took 1 or 2 minutes.

Appreciate your help. 

 

Content for Community-Ad