- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2021 09:33 AM - edited 09-04-2021 03:37 PM
Hi guys,
I feel like it's a noob question but my understanding always was that there should be a separate TACACS+ authorization request which is not blended into an Authentication packet:
Please can you educate me, and point me to the correct KB?
Thanks,
myky
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2021 10:14 AM
You are right. NAD sends two seperate requests for authen and author. ISE
evaluate authorization profile part of policy set to put the user in the
right shell (priv). Further command authorization is sent in seperate
requests and evaluated against authorization policies if any.
Hope this helps.
***** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2021 10:14 AM
You are right. NAD sends two seperate requests for authen and author. ISE
evaluate authorization profile part of policy set to put the user in the
right shell (priv). Further command authorization is sent in seperate
requests and evaluated against authorization policies if any.
Hope this helps.
***** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2021 10:35 AM - edited 09-05-2021 01:55 PM
Hello,
Thanks for your reply, and I think I got it now.
So basically, you will have to have shell access in the first place when authenticated, and for that to be allowed, you will have to have an explicit Authorization policy (which gets evaluated during the auth).
Then commands authorization, as you mention, (if configured) where another user group and authorization policy lookup happens and is logged by ISE as the separate Authorization lookup log.
Is my understanding correct?
Thanks,
myky
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2021 11:33 AM
Hi @mykys ,
for better understand, please take a look at: Cisco ISE Device Administration Prescriptive Deployment Guide.
Hope this helps !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2021 05:27 PM
**** please remember to rate useful posts
