cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2630
Views
0
Helpful
3
Replies

Cisco ASA TACACS+ with ISE

vsurresh
Level 1
Level 1

Hello.

 

I have been testing ASA tacacs+ with ISE for authentication and authorization. I am able to SSH into the ASA using a user exists in AD. After I enabled aaa authorization command ISE-TACACS, I can not run any commands. ISE TACACS+ reports show the username as 'INVALID' for type: Authorization. (Please see the screenshots)

  • I can SSH and see the ISE report that the correct policy is assigned. 
  • When I run any command, tacacs+ request goes to ISE with the username of 'INVALID' and eventually fails. 

 

asa-01# show interface ip brief 
Command authorization failed
aaa-server ISE-TACACS protocol tacacs+
aaa-server ISE-TACACS (MGMT) 10.10.0.100
  key ******

aaa authentication ssh console ISE-TACACS LOCAL
aaa authorization command ISE-TACACS

EDIT - If I disclose invalid usernames then the username shows as 'enable_15'

 

Any idea?

Thanks

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

According to your screenshots it looks like you are using the default shell profile.  Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario.  Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles.  Then in your authz policy reference that new shell profile instead of the default one.  

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

According to your screenshots it looks like you are using the default shell profile.  Please create a new shell profile with the appropriate priv level you wish to utilize for your scenario.  Work Centers->Device Administration->Policy Elements->Results->TACACS Profiles.  Then in your authz policy reference that new shell profile instead of the default one.  

Thanks, Mike. I did that too but the issue is the same. (screenshot attached) 

I don't understand why the command authorization request is sent out with the username of 'enable_15'.

Thanks

Sorry. Creating a shell profile actually fixed the issue. It took 1 or 2 minutes.

Appreciate your help. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: