Solved: Re: Cisco Device admin policy set using RSA as external ID source

stuartcross · ‎05-05-2023

Trying to configure a device admin policy set for TACACS plus, using RSA to authenticate. I can get the Authentication to work and I see ISE talking to RSA in the tacacs logs and authenticating ok, however the authorization fails and says there is no user in the selected identity store. How can I configure the authorization part of the policy?

Thanks

poongarg · ‎05-10-2023

Try to enable the user cache under RSA config and let us know the result . Suspecting that it could be below issue as well:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz88188

But till the time runtime, nsf and nsf-session debug logs are not seen, cannot confirm.

View solution in original post

M02@rt37 · ‎05-05-2023

Hello @stuartcross,

To configure the authorization part of the device admin policy set for TACACS+, you need to define the authorization profile and authorization rules in Cisco ISE.

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010011.html.xml

=> Manage Authorization Policies and Profiles

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

stuartcross · ‎05-05-2023

No that's not an answer to my question.

M02@rt37 · ‎05-05-2023

OK @stuartcross,

Do you have configured the necessary identity store in ISE to retrieve user information ? This identity store can be an Active Directory server, LDAP server, or other external databases.

Do you have created authorization rules that specify the privileges or permissions that are granted to authenticated users. These rules can be based on attributes such as user groups, network device type, and time of day.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

stuartcross · ‎05-05-2023

Of course. RSA has been configured and added to the DEvice admin policy. If you read my initial post, you will see that, and that I state this part works correctly. However, the authorization part fails, because it says it cannot find the user in the identity store, despite finding it in the authentication profile, and validating my credentials when I entered them.

What I need to know is how to get the authorization part to work correctly in the device admin policy set.

stuartcross · ‎05-05-2023

AS you can see here. When I enter my RSA username and passcode, it is successful.

"A session is established with the RSA SecurID Server - RSA "
"Check passcode operation succeeded - RSA SecurID"
"User authentication has succeeded - RSA"

However, the authorization fails

15013 Selected Identity Source - RSA SecurID
22056 Subject not found in the applicable identity store(s)

MHM Cisco World · ‎05-05-2023

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

This what you need for admin?

stuartcross · ‎05-05-2023

I have got TACACS working using Cisco AD. However, this is for RSA, and so far I cannot get it to work the same as AD does.

Nancy Saini · ‎05-05-2023

Could you share the detailed authentication report from ISE? Also, share the screenshot of the authentication and authorization policy that it should hit such that the options part of the authentication policy is visible.

stuartcross · ‎05-06-2023

Hi,

I managed to get this working now by changing the options for "if user not found" to "continue". What I don't understand is if it finds my user in RSA and authenticates me using my passcode, why does it then say user not found in identity store.

Thanks

Nancy Saini · ‎05-06-2023

Seems like ISE is treating rejects from RSA server as "User not found" due to below configuration.

Check on the RSA server why it is sending reject to ISE

stuartcross · ‎05-07-2023

I checked RSA logs and it is passing my authentication, and you see that in the ISE tacacs live log. I don't believe it is sending rejects. Also under the RSA config, I do not have it set to treat rejects as "user not found". However, changing the options to continue is allowing me to access the router.

thomas · ‎05-07-2023

Show us your actual policy and your actual error message(s).

It's is very hard to comment or make suggestions on "authorization fails and says there is no user in the selected identity store".

We don't know what you are doing or how you are doing it.

See How to Ask The Community for Help

stuartcross · ‎05-09-2023

Its a simple policy. If a switch tacacs request is received, then use RSA identity source. I can see my authentication happening in the RSA logs and passing ok. From here it's then meant to just give me access to priv15 in the ISE authorization part of the policy. This wasn't working, but now does since I changed the options to "continue" if "user not found"

The error I already posted above, it comes from the authorization report (authentication report is good and shows successful RSA authentication). The two lines from the error report are.

15013 Selected Identity Source - RSA SecurID
22056 Subject not found in the applicable identity store(s)

Do you need more than that?

stuartcross · ‎05-09-2023

Added the report. The authentication showing RSA authentication working fine. The authorization showing user not found but now using advanced options setting to continue.