04-22-2024 12:07 AM
Hello,
I have a problem with applying policies from CiscoISE 3.2 on switch C3750. It simply doesn't stop the unauthenticated users from logging in to switch, nor it prevent commands that are forbidden by the created policy.
In Live Logs I can see that CiscoISE recognizes not allowed attempt, it gives a red status and describes that authentication (or authorization) failed, but I can still do whatever I want on the switch.
As You can see, it throws "Command failed to match a Permit rule" but switch execute it anyway. Same with "INVALID" identity, it fails to authenticate, but the switch let it log in successfully...
Could You please give me advice what could be misconfigured when it acts like this.
TIA
Solved! Go to Solution.
04-23-2024 01:45 AM
Thanks for that. The "INVALID" users in the logs can be disclosed by changing the "Disclose invalid usernames" under Administration > System > Settings > Security Settings > Disclose invalid usernames" to always or for a limited amount of time.
No debugs returned at all? if you are connected to the switch via SSH then please issue the command "terminal monitor" to replicate the output to the screen and share any debug output.
I am kinda running out of ideas here, my gut feeling is that this switch is not performing TACACS operations correctly. Or, as mentioned previously, it could be that the switch for some reason keeps losing the connection with ISE and accordingly falls back to the local database for both authentication and authorization.
One thing you can do to test this would be to remove the "local" keyword for TACACS and see if the behaviour would still be the same, if so, I would say the switch is hitting a software bug, if not, then it would related to some communication issues with ISE. However, please make sure that you have at least console access and that is configured with local database, otherwise you might look yourself out and had to reload the switch before you get access to it. Alternatively you can schedule a reload before you apply any changes. But let's first try to get to the bottom of this by relying on TACACS debugs and see if we get anything.
04-22-2024 07:30 AM - edited 04-22-2024 07:47 AM
Access to device and then show privilege' check in which privilege thenuser is
Also' in auth under thr policy set' there is option can you mention which selection you use for unknown user? The ISE live logs show that user is not found in internal identity db' can you you the selection and action of defualt authorization in ISE
MHM
04-23-2024 12:01 AM
LAB_SW_2.20#sh privilege
Current privilege level is 15
Q:The ISE live logs show that user is not found in internal identity db' can you you the selection and action of defualt authorization in ISE
A: I've answered in previous post just above, there is one user created on switch that is not added to ISE, so it throws user is not found in internal identity db
04-23-2024 03:15 AM
It seems that I've found a problem.
In CiscoISE Administration>Network Devices>selected device> Edit > TACACS Authentication Settings
It should be checked Legacy Cisco Device. I had other configured and it didn't work.
Pictures below :
Now, unregistered user gets message:
login as: admin
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
And unauthorized commands get note:
LAB_SW_2.20#conf t
Command authorization failed.
All that followed by adequate status in CiscoISE Live Logs.
Thank You all for participating in troubleshooting!
04-23-2024 03:43 AM
Thanks a lot for update us
Have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide