Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
1
Helpful
6
Replies

Cisco ISE - problem with TACACS command sets

lnw-team
Level 1
Level 1

‎07-01-2024 05:11 AM - edited ‎07-01-2024 05:12 AM

Hello, 

I've been given a task to provide administrative access for local IT guys so that they are able to execute limited set of commmands.  The following TACACS command sets has been configured to achieve that objective:

lnwteam_0-1719835492782.png

Unfortunately, it does not work the way it's supposed to. After logging to the device and hitting appropriate authorizatation policy, I'm unable to execute the following commands (which is desired outcome): 

- reload
- debug
- traceroute
- show running-config
- configure terminal 

All allowed commands (ping, terminal monitor, terminal no monitor, show interface status, show logging) are working fine. However, I've noticed that other show commands such as "show spanning-tree", "show spanning-tree root", or "show ntp packets" can also be executed although they should be denied. Could anyone explain this? I'll add that I've tried several options with "Deny" and "Deny always".

Thank you in advance!

 

6 Replies 6

Arne Bier
VIP
VIP

‎07-01-2024 01:46 PM

I have a feeling that your IOS device is not performing command authorization, hence, ISE is not getting involved in the command authorization. Can you please share your 

show run | in aaa

Command authorization can be enabled for any and every priv level you give your admins. I always give everyone priv15 because that is needed for a "show run".  Therefore, the command authorization would look like this (my example uses the TACACS+ group "tacacs_group" and the "default" method list ... adjust as necessary to suit your scenario)

aaa authorization commands 15 default group tacacs_group if-authenticated

 

0 Helpful

lnw-team
Level 1
Level 1
In response to Arne Bier

‎07-01-2024 10:34 PM

Hello,

in my case it's slightly different, It looks like this:

aaa authorization commands 15 default local group TACACS if-authenticated

Do you think it might be cause od the issue? 

0 Helpful

Arne Bier
VIP
VIP
In response to lnw-team

‎07-01-2024 10:57 PM

Yes - if you use the built-in help (question mark) you can see that the "local" is not correct

switch(config)#aaa authorization commands 15 default ?
  cache             Use Cached-group
  group             Use server-group.
  if-authenticated  Succeed if user has authenticated.
  local             Use local database.
  none              No authorization (always succeeds).

We don't want to perform command authorization using local accounts - therefore, assuming your TACACS+ aaa group is called "TACACS" (as your example shows), then change the command to look like this

aaa authorization commands 15 default group TACACS if-authenticated

 

0 Helpful

lnw-team
Level 1
Level 1
In response to Arne Bier

‎07-01-2024 11:53 PM - edited ‎07-01-2024 11:55 PM

But I'm also using local accounts as a backup authentication method. Furthermore, I'm wondering why it's working fine for most of the commands. As I mentioned before, I'm unable to execute "debug", "reload" or "conf t" command. Local authorization should also be enbled as a backup.

0 Helpful

Larry Sullivan
Level 3
Level 3
In response to lnw-team

‎07-02-2024 10:58 AM

Did you also configure "aaa authorization config-commands"

Been working on a similar implementation and the above command needs to be configured on my network devices (Cisco) for ISE to get granular with authorized commands.

0 Helpful

Arne Bier
VIP
VIP

‎07-02-2024 02:06 PM - edited ‎07-02-2024 02:26 PM

@lnw-team - do you see the ISE Command authorization attempts in the ISE TACACS Live Logs?  If not, then check the vty line settings because you also need - e.g.

 

vty 0 15
  authorization commands 15 VTY_Name

 

I also keep forgetting that the IOS exec shell doesn't pass ALL commands to the AAA for evaluation unless you specify the exact priv level used by that command

E.g. show running-config is sent to AAA for eval because it's a priv level 15 command. 

But commands like "show version", "show users" etc. are priv 1 commands.

Therefore you must configure aaa authorization commands in global and line vty for all possible priv levels.

I tested it just now and forgot priv level 1, which is used for show users, etc.

I wish there was a list that showed us which priv level is used for which command.

Your DENY_ALWAYS rule is a dangerous one.  It takes precedence over ALL the other commands, and just because you put it at the end of the rules, doesn't mean it gets executed last - it gets evaluated FIRST! Always ... dangerous command. 

 

0 Helpful
Customers Also Viewed These Support Documents