Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2216
Views
2
Helpful
23
Replies

Cisco Device admin policy set using RSA as external ID source

Go to solution
stuartcross
Level 1
Level 1

‎05-05-2023 06:18 AM

Trying to configure a device admin policy set for TACACS plus, using RSA to authenticate.  I can get the Authentication to work and I see ISE talking to RSA in the tacacs logs and authenticating ok, however the authorization fails and says there is no user in the selected identity store.  How can I configure the authorization part of the policy?

Thanks

0 Helpful
23 Replies 23

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to stuartcross

‎05-09-2023 09:24 PM

Kindly download the complete report for working and non-working scenario and attach it as just screenshots of the report will not help much. Also attach the complete authentication and authorization policy details for matching policy.

0 Helpful

Go to solution
stuartcross
Level 1
Level 1
In response to poongarg

‎05-10-2023 02:01 AM

Hi, The tacacs reports do not give you any detailed information.  Only a CSV outlining the attempts and if they failed or passed.  Is there a way I can download the the detailed report?

0 Helpful

Go to solution
stuartcross
Level 1
Level 1
In response to stuartcross

‎05-10-2023 04:14 AM

Also, just to add, this does not happen if I use AD as the external ID source. Only when using RSA, so maybe a symptom of using RSA as the external ID source, as it doesn't share the username with ISE, unlike AD?

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to stuartcross

‎05-10-2023 05:07 AM

You need to press CTRL+P to print the report. Also need to see the AuthC and AuthZ policies configured for this authentication.

0 Helpful

Go to solution
stuartcross
Level 1
Level 1
In response to poongarg

‎05-10-2023 05:28 AM

Hi, I'm slightly uncomfortable about posting our policy on a public forum, is there a more secure method?

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to stuartcross

‎05-10-2023 08:26 AM

Try to enable the user cache under RSA config and let us know the result . Suspecting that it could be below issue as well:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz88188

But till the time runtime, nsf and nsf-session debug logs are not seen, cannot confirm.

Go to solution
stuartcross
Level 1
Level 1
In response to poongarg

‎05-10-2023 08:33 AM

Do you mean identity caching under RSA_Secure ID Identity source?

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to stuartcross

‎05-10-2023 10:11 AM

Yes, that's right.
0 Helpful

Go to solution
stuartcross
Level 1
Level 1
In response to poongarg

‎05-11-2023 02:12 AM

Thankyou for your time on this. Changing this setting has allowed to me successfully log onto a Cisco device now using RSA, without needing to use the advanced "continue" if user not found option! Many thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents