Solved: Re: ISE 2.4 device administration support for Linux tacplus-client

ssschunk1 · ‎09-26-2019

I am trying to support device admin access to white box linux based switches, like cumulus & edgecore. The switch will send authorization requests first, ISE will fail those and the session then closes. Is there a way to configure ISE to provide an authorization success before an authentication occurs? Currently using tacplus-client on debian based switch.

Arne Bier · ‎09-26-2019

Hi @ssschunk1

I don't believe so. It goes against the logic of TACACS+

Even if ISE could do that (which I am not sure of), why would anyone even require Authentication as a subsequent step to Authorization?

Side note: You can however send Authentication and Authorization events to different PSN nodes and it all works. But ISE ties the events together in the background. However, the NAS has to execute AuthC, then AuthZ - in that order.

View solution in original post

Arne Bier · ‎09-26-2019

Hi @ssschunk1

I don't believe so. It goes against the logic of TACACS+

Even if ISE could do that (which I am not sure of), why would anyone even require Authentication as a subsequent step to Authorization?

Side note: You can however send Authentication and Authorization events to different PSN nodes and it all works. But ISE ties the events together in the background. However, the NAS has to execute AuthC, then AuthZ - in that order.

ssschunk1 · ‎09-27-2019

Thanks for your quick reply. I'm working with the vendor to see what can be done. I tend to agree with you, as all captures i have done from other device vendors are all sending authentication packets as their initial communication. Perhaps this is somewhat unique as this is the first Linux based tacacs application I have used... Normally, systems have tacacs already baked into the platform.. This scenario is like pointing a debian server or redhat server to ISE for tacacs auth.

hslai · ‎09-29-2019

ISE may accept T+ authorization requests without performing authentications. See this example at Using Two-Factor Authentication Configuration to Combat Cybersecurity Threats -- Guidelines for Deploying Cisco IOS SSH with X.509v3 PIV and CAC Smartcards

ssschunk1 · ‎11-13-2019

I thought I would just add a conclusion to this topic.

We are using Cumulus linux based switches. This OS sends authorization requests before authentication requests as part of determining if the user should be authenticated... seems backwards, but i've been told it has to do with the debian based tacplus package.

My scenario: we use RSA/2FA Identity source to authenticate a user then AD to determine authorization access. when ISE 2.4.10 sees an authorization packet before an authentication packet, ISE looks at the authentication policy set to determine what Identity source to validate against and in my case it is RSA. Since no RSA authentication has taken place, there is nothing that ISE can find to validate the user as RSA is not a searchable DB, but purely an authentication process. ISE fails because it cannot validate the user's identity.

My fix/workaround: Essentially, I included AD into the authentication identity source search as a 2nd source. Now when the authorization attempt comes into ISE, it will also search AD and find the user.

I initially thought this might be a bad security risk. When we require 2FA for authentication, I just opened up the possibility to authenticate via AD. The condition for concern is a valid AD user who is also a member of the AD group in the authorization policy. for these cumulus boxes, that equates to no one. Hope this helps someone else.