Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1275
Views
0
Helpful
7
Replies

ISE 2.4 TACACS Internal User store - users selection

Go to solution
startx001
Level 1
Level 1

‎12-06-2018 11:02 AM

Hi ,

I use Intenal store for tacacs users and some number of VPN users are there also.

In Authentication policy for tacacs when it is selected to use Internal store, is there any way to divide tacacs users from vpn users?

I know it can be done for authorization using different groups, but there is no option in authentication section or im missing something ?

 

Thanks

VZ

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-06-2018 11:16 AM

Nope. No other way to discriminate until after the user is authenticated. The same goes with RADIUS as well.

View solution in original post

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to startx001

‎12-06-2018 01:33 PM

Hi,

 

Is your concern related to using same id store for both RADIUS/TACACS?

If the user store has both RADIUS/TACACS+ users you can use the authorization policy to make sure user is part of a certain group etc and allow access. I am hoping that the users have only a set of credentials per users. If users have multiple credentials in the same ID store then that needs to be looked at as to why you need this. That is outside the scope of this discussion.

 

When the user authenticates, based on the incoming request, the services uses these stores. The type of protocols for VPN tunnel you use need to be defined in VPN device. For regular VPN authentication, RADIUS is used. So the users can be authenticated as long as they are available in datastore

 

Also just because you authenticate does not mean you get access. You need to allow access based on authorization rules and send the right set of attributes back to VPN for ACLs. By default it is set to deny access.

 

For TACACS+ you need to authorize the Shell and command. Only then user gets access else access is denied.

So you can control access based on the authorization policies, as mentioned here, authentication verifies credentials and if your user store has that credential and it is valid then authentication will succeed.

 

ISE has a set of stores it uses for both RADIUS and TACACS+. It does not make sense to use different stores for different services since we need to support the stores in general for all services ISE supports.

 

Please check out the ISE device administration deployment guide for further information on the best practices to configure these.

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

Hope this clarifies.

 

Thanks

Krishnan

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-06-2018 11:16 AM

Nope. No other way to discriminate until after the user is authenticated. The same goes with RADIUS as well.
0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to Surendra

‎12-06-2018 11:19 AM

Hi ,

Any plan to implement in feature release? 

To match internal or/and external groups ?

 

KR

VZ

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Surendra

‎12-06-2018 11:21 AM - edited ‎12-06-2018 11:21 AM

This is not quite true, you discriminate by creating unique policy sets.  For VPN we usually use RADIUS.  You can use the VPN 3000 tunnel group name attribute to know exactly what tunnel group the user is connecting to, i.e. employees vs. vendors as an example.  Each policy set has their own authentication section.  You should be developing policy sets to match your individual use cases. 

0 Helpful

Go to solution
startx001
Level 1
Level 1
In response to paul

‎12-06-2018 11:29 AM

Hi paul,

yes i know that and im using that with no issue.

But look at picture.

When i have few users in Internal store, few of them are intendent to use VPN , what stops them to use tacacs and to perform authentication ? 

I cant match exact user group in tacacs authentication process and it is security flaw for me. ( i can match only tacacs protocol etc )

 

3.jpg

 

 

 

 

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to startx001

‎12-06-2018 11:36 AM

Ahh I see what you are saying.  Then no you can't do anything in authentication.  As the phase name implies, ISE is doing authentication only.  That phase simply validates the credentials are correct.  This is true in an part of ISE.  The authorization phase is where you authorized who and what type of access the user can have.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to startx001

‎12-06-2018 01:33 PM

Hi,

 

Is your concern related to using same id store for both RADIUS/TACACS?

If the user store has both RADIUS/TACACS+ users you can use the authorization policy to make sure user is part of a certain group etc and allow access. I am hoping that the users have only a set of credentials per users. If users have multiple credentials in the same ID store then that needs to be looked at as to why you need this. That is outside the scope of this discussion.

 

When the user authenticates, based on the incoming request, the services uses these stores. The type of protocols for VPN tunnel you use need to be defined in VPN device. For regular VPN authentication, RADIUS is used. So the users can be authenticated as long as they are available in datastore

 

Also just because you authenticate does not mean you get access. You need to allow access based on authorization rules and send the right set of attributes back to VPN for ACLs. By default it is set to deny access.

 

For TACACS+ you need to authorize the Shell and command. Only then user gets access else access is denied.

So you can control access based on the authorization policies, as mentioned here, authentication verifies credentials and if your user store has that credential and it is valid then authentication will succeed.

 

ISE has a set of stores it uses for both RADIUS and TACACS+. It does not make sense to use different stores for different services since we need to support the stores in general for all services ISE supports.

 

Please check out the ISE device administration deployment guide for further information on the best practices to configure these.

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

Hope this clarifies.

 

Thanks

Krishnan

 

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to paul

‎12-06-2018 11:30 AM

Those attributes will allow you to choose different authentication policies or policy sets but when the user had to be looked up in the internal store, you cannot stop ISE from looking at all the internal users.
0 Helpful
Customers Also Viewed These Support Documents