12-06-2018 11:02 AM
Hi ,
I use Intenal store for tacacs users and some number of VPN users are there also.
In Authentication policy for tacacs when it is selected to use Internal store, is there any way to divide tacacs users from vpn users?
I know it can be done for authorization using different groups, but there is no option in authentication section or im missing something ?
Thanks
VZ
Solved! Go to Solution.
12-06-2018 11:16 AM
12-06-2018 01:33 PM
Hi,
Is your concern related to using same id store for both RADIUS/TACACS?
If the user store has both RADIUS/TACACS+ users you can use the authorization policy to make sure user is part of a certain group etc and allow access. I am hoping that the users have only a set of credentials per users. If users have multiple credentials in the same ID store then that needs to be looked at as to why you need this. That is outside the scope of this discussion.
When the user authenticates, based on the incoming request, the services uses these stores. The type of protocols for VPN tunnel you use need to be defined in VPN device. For regular VPN authentication, RADIUS is used. So the users can be authenticated as long as they are available in datastore
Also just because you authenticate does not mean you get access. You need to allow access based on authorization rules and send the right set of attributes back to VPN for ACLs. By default it is set to deny access.
For TACACS+ you need to authorize the Shell and command. Only then user gets access else access is denied.
So you can control access based on the authorization policies, as mentioned here, authentication verifies credentials and if your user store has that credential and it is valid then authentication will succeed.
ISE has a set of stores it uses for both RADIUS and TACACS+. It does not make sense to use different stores for different services since we need to support the stores in general for all services ISE supports.
Please check out the ISE device administration deployment guide for further information on the best practices to configure these.
Hope this clarifies.
Thanks
Krishnan
12-06-2018 11:16 AM
12-06-2018 11:19 AM
Hi ,
Any plan to implement in feature release?
To match internal or/and external groups ?
KR
VZ
12-06-2018 11:21 AM - edited 12-06-2018 11:21 AM
This is not quite true, you discriminate by creating unique policy sets. For VPN we usually use RADIUS. You can use the VPN 3000 tunnel group name attribute to know exactly what tunnel group the user is connecting to, i.e. employees vs. vendors as an example. Each policy set has their own authentication section. You should be developing policy sets to match your individual use cases.
12-06-2018 11:29 AM
Hi paul,
yes i know that and im using that with no issue.
But look at picture.
When i have few users in Internal store, few of them are intendent to use VPN , what stops them to use tacacs and to perform authentication ?
I cant match exact user group in tacacs authentication process and it is security flaw for me. ( i can match only tacacs protocol etc )
12-06-2018 11:36 AM
Ahh I see what you are saying. Then no you can't do anything in authentication. As the phase name implies, ISE is doing authentication only. That phase simply validates the credentials are correct. This is true in an part of ISE. The authorization phase is where you authorized who and what type of access the user can have.
12-06-2018 01:33 PM
Hi,
Is your concern related to using same id store for both RADIUS/TACACS?
If the user store has both RADIUS/TACACS+ users you can use the authorization policy to make sure user is part of a certain group etc and allow access. I am hoping that the users have only a set of credentials per users. If users have multiple credentials in the same ID store then that needs to be looked at as to why you need this. That is outside the scope of this discussion.
When the user authenticates, based on the incoming request, the services uses these stores. The type of protocols for VPN tunnel you use need to be defined in VPN device. For regular VPN authentication, RADIUS is used. So the users can be authenticated as long as they are available in datastore
Also just because you authenticate does not mean you get access. You need to allow access based on authorization rules and send the right set of attributes back to VPN for ACLs. By default it is set to deny access.
For TACACS+ you need to authorize the Shell and command. Only then user gets access else access is denied.
So you can control access based on the authorization policies, as mentioned here, authentication verifies credentials and if your user store has that credential and it is valid then authentication will succeed.
ISE has a set of stores it uses for both RADIUS and TACACS+. It does not make sense to use different stores for different services since we need to support the stores in general for all services ISE supports.
Please check out the ISE device administration deployment guide for further information on the best practices to configure these.
Hope this clarifies.
Thanks
Krishnan
12-06-2018 11:30 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide