Hello,
I need to configure authorization and authentication for particular AD groups on Cisco Nexus devices. Now I've configured LDAP integration and I can retrieve groups from AD, but I can't find the way how users from this grops could be allowed for access to network devices.
I suppose that I need to configure Device Admin Policy Sets, but I don't know the right way to do this. Now only Cisco ISE local users which was created in Identities >> Network Access Users section can be authozired and can authenticate to network devices, on Cisco switches I've configured tacacs.
Accepted Solutions
With Device Admin (TACACS+), I typically use separate Device Admin Policy Sets for each distinct device type (switches/routers, WLCs, Firewalls, etc), so there is not much value in creating a unique AuthC Policy with a simple condition like 'Network Access - Protocol = TACACS+'
Instead, I typically just use the Default AuthC Policy and configure my Identity Source there.
Example:
Even though I've done this policy, I can't connect to network devices via SSH by user from this group. And as you see, there are no hits.
It seems that ISE doesn't try to check LDAP identity source based on logs, maybe you know something about this issue?
I see this is reports, when I try to connect to Cisco Device.
And I didn't see trying to look in LDAP identity source mgmt.sbcp.ru
13013 Received TACACS+ Authentication START Request 15049 Evaluating Policy Group 15008 Evaluating Service Selection Policy 15048 Queried PIP - DEVICE.Device Type 15041 Evaluating Identity Policy 22072 Selected identity source sequence - All_User_ID_Stores 15013 Selected Identity Source - Internal Users 24210 Looking up User in Internal Users IDStore 24216 The user is not found in the internal users identity store 15013 Selected Identity Source - All_AD_Join_Points 13045 TACACS+ will use the password prompt from global TACACS+ configuration 13015 Returned TACACS+ Authentication Reply 13014 Received TACACS+ Authentication CONTINUE Request 15041 Evaluating Identity Policy 22072 Selected identity source sequence - All_User_ID_Stores 15013 Selected Identity Source - Internal Users 24210 Looking up User in Internal Users IDStore 24216 The user is not found in the internal users identity store 15013 Selected Identity Source - All_AD_Join_Points 24430 Authenticating user against Active Directory - All_AD_Join_Points 24325 Resolving identity - INVALID 24313 Search for matching accounts at join point - msk.sbcp.ru 24366 Skipping unjoined domain - msk.sbcp.ru 24322 Identity resolution detected no matching account 24352 Identity resolution failed - ERROR_NO_SUCH_USER 24412 User not found in Active Directory - All_AD_Join_Points 15013 Selected Identity Source - Guest Users 24631 Looking up User in Internal Guests IDStore 24633 The user is not found in the internal guests identity store 15013 Selected Identity Source - Internal Users 24210 Looking up User in Internal Users IDStore 24216 The user is not found in the internal users identity store 15013 Selected Identity Source - All_AD_Join_Points 24430 Authenticating user against Active Directory - All_AD_Join_Points 24325 Resolving identity - INVALID 24313 Search for matching accounts at join point - msk.sbcp.ru 24366 Skipping unjoined domain - msk.sbcp.ru 24322 Identity resolution detected no matching account 24352 Identity resolution failed - ERROR_NO_SUCH_USER 24412 User not found in Active Directory - All_AD_Join_Points 15013 Selected Identity Source - Guest Users 24631 Looking up User in Internal Guests IDStore 24633 The user is not found in the internal guests identity store 22016 Identity sequence completed iterating the IDStores 22056 Subject not found in the applicable identity store(s) 22058 The advanced option that is configured for an unknown user is used 22061 The 'Reject' advanced option is configured in case of a failed authentication request 13015 Returned TACACS+ Authentication Reply
Ok, I realize that I should create Authentication policy with my LDAP "mgmt.sbcp.ru"
But when I try to save policy, the error has occurred.
What condition shoud I use in this policy?
With Device Admin (TACACS+), I typically use separate Device Admin Policy Sets for each distinct device type (switches/routers, WLCs, Firewalls, etc), so there is not much value in creating a unique AuthC Policy with a simple condition like 'Network Access - Protocol = TACACS+'
Instead, I typically just use the Default AuthC Policy and configure my Identity Source there.
Example:
