Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6387
Views
0
Helpful
4
Replies

ISE AAA TACACS+ authentication with NX-OS and IOS - My policy set appears to accept one or the other

Go to solution
RAMAN AZIZIAN
Level 1
Level 1

‎05-06-2020 03:50 PM

Hello everyone,

I can't seem to figure out the logic behind the policy set to authenticate and authorize my users based on the privilege and device type. Sorry for the lengthy description.

I have a couple of ISE 3615 appliances, running version 2.6. Only one of the appliances is configured. Planning on configuring the second one later.

In my network I have multiple Catalyst 9300/9500 and Nexus 9300 switches. They are all happy and have L3 reach ability and I am currently using local account on each one of them.

My ISE-T1 is configured and joined to my domain successfully. It is running all the personas.

I have two users groups OU that I have pulled down.

Domain User - (The users in this OU will have limited read only access)

Domain Admin - (The user in the OU will have full R/W access)

I have created the following TACACS command sets profiles:

AD-NXOS-Admin

AD-NXOS-Op ((Can issue the following commands: show int status, show vpc brief, sho run, etc)

AD-IOS-Admin

AD-IOS-Op (Can issue the following commands: show int status, sho ip int b, sho run, etc)

I have also created the following TACACS Profiles

AD-NXOS-Admin-shell

AD-NXOS-Op-shell

AD-IOS-Admin-shell

AD-IOS-Op-shell

The problem I am running into, and I hope I can explain it clearly is, the device Admin policy Sets that I create appears to only accept the first two rules, and it doesn't matter if I have specific for each type of user (NXOS or IOS)

Here's the Policy set: There are two of them:

AD-NXOS-ACCESS : DEVICE:DevicetypeEQUALS all device types#Cisco NX-OS default Device Admin >

AD-IOS-ACCESS: DEVICE:DevicetypeEQUALSall device types : Default Device Admin >

Now the configs for the authentication and Authorization for each one

This if for the IOS devices

Authentication policy (1) - It points to my my.AD

Authorization policy (3)

AD-IOS-ADMIN - my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Admins - AD-IOS-Admin - AD-IOS-Admin-shell

AD-IOS-Operator my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Users - AD-IOS-Op - AD-IOS-Op-Shell

Default - DenyAllCommands

This is for NX-OS device

Authentication policy (1) - It points to my my.AD

Authorization policy (3)

AD-NXOS-ADMIN my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Admins -AD-NXOS-Admin - AD-NXOS-Admin-Shell

AD-NXOS-Operator my.AD.ExternalGroupsEQUALS my.AD/Users/Domain Users -AD-NXOS-Op - AD-NXOS-Op-shell

Default - DenyAllCommands

Even though I have two separate policies in the Policy Sets, it seems that I only use the AD-IOS-Admin or AD-IOS-Op and not the Nexus specific.

I am able to successfully login as Operator User to IOS device and issue the limited commands.

I am able to successfully login as Admin to both NXOS and IOS switches and I have full access to everything.

I am able to successfully login as Operator user to NXOS, but I can't issue any show commands as I have listed.

When I looked at the Operations logs under TACACS+, I noticed only the IOS policies were being used even though I was logging into the NX-OS switches.

I guess I am trying to figure out what logic (AND / OR) i need to put in my policy to distinguish and forward to specific rules.

Be glad to provide any other info if needed.

Thank you kindly for reading and providing feedbacks.

 

Raman Azizian

 

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-06-2020 04:28 PM

IMO you have a couple of options to accomplish what you are trying to do. One of those options would be to group devices by device type (This can be found here: Administration->Network Resources->Network Device Groups). Then use DEVICE: Device Type as an additional authz condition. Essentially you would group your IOS NADs in one group and your NX-OS devices in another and rely on that group condition to steer policy that way. HTH!

View solution in original post

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎05-06-2020 07:09 PM

Adding to above, On Nexus we prefer to have role based access instead of command authorization.

Although command authorization via Tacacs is allowed on the Nexus but Command authorization disables user role based authorization control (RBAC), including the default role.

Do not use "Default Shell Profile" instead create a new shell profile to be used for Nexus device.

New shell profile > Task Attribute view>Go to "Common Task Type" > Nexus. Set attributes as "mandatory" Network Role "Administrator (Read Write)" and VDC Role "Administrator (Read Write)"

 

Once saved, you will see below profile attributes under raw view

shell:roles="network-admin vdc-admin"

shell:roles="network-operator vdc-operator" >>> This will appear if you will select operator read-only role.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-06-2020 04:28 PM

IMO you have a couple of options to accomplish what you are trying to do. One of those options would be to group devices by device type (This can be found here: Administration->Network Resources->Network Device Groups). Then use DEVICE: Device Type as an additional authz condition. Essentially you would group your IOS NADs in one group and your NX-OS devices in another and rely on that group condition to steer policy that way. HTH!
0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎05-06-2020 07:09 PM

Adding to above, On Nexus we prefer to have role based access instead of command authorization.

Although command authorization via Tacacs is allowed on the Nexus but Command authorization disables user role based authorization control (RBAC), including the default role.

Do not use "Default Shell Profile" instead create a new shell profile to be used for Nexus device.

New shell profile > Task Attribute view>Go to "Common Task Type" > Nexus. Set attributes as "mandatory" Network Role "Administrator (Read Write)" and VDC Role "Administrator (Read Write)"

 

Once saved, you will see below profile attributes under raw view

shell:roles="network-admin vdc-admin"

shell:roles="network-operator vdc-operator" >>> This will appear if you will select operator read-only role.

0 Helpful

Go to solution
RAMAN AZIZIAN
Level 1
Level 1
In response to poongarg

‎05-07-2020 03:01 PM

Hello Poongarg,

I took your suggestion and I set Mandatory to both admin RBAC and Operator RBAC.

 

I also used Mike's suggestion for separation of the devices to further differentiate and steer the connection to the correct policy.

Now it's time to go figure out how HA works and what all I need to do to make that work.

 

Thank you again for both of you for helping me solve this problem.

Cheers,

Raman

 

0 Helpful

Go to solution
RAMAN AZIZIAN
Level 1
Level 1
In response to Mike.Cifelli

‎05-07-2020 02:57 PM

Hello Mike,

Thank you for your suggestion and I'm able to now allow specific access based on the RBAC and user access.

I created two groups

IOS-Devices

NXOS-Device

 

0 Helpful
Customers Also Viewed These Support Documents