Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2975
Views
10
Helpful
7
Replies

ISE - AD & Internal User Access for the same device

Go to solution
robad
Level 1
Level 1

‎07-31-2021 11:18 PM

Hi Team,

I'm having some issue that I'm  almost sure that I've succeeded with it in the past.

 

We have a device type "x", and we want the following thing :

 

1. Admins user [an AD group] - will have privilege 15

2. Internal User "user" - will be able to run only specific command [we've created the command set "command"]

 

I can't find/think on a way, that in the same "Device Admin Policy Set"

 

What Am I doing wrong ? and how can I solve it please 

 

Thanks in advance

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎08-01-2021 09:18 AM

Hello,

From my understanding you want on the same policy to authenticate and differentiate the authorization between AD Users and ISE Internal Users.(The AD User should not be the same as the ISE internal User).

First you need to create an Identity Source Sequence (Administration Identity -> Identity Management -> Identity Source Sequences)

 

IIS.JPG

 

Under the Authentication Policy choose the Identity sequence you have created :

IIS.JPG

And under Authorization policy should be like this :

IIS.JPG

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-01-2021 03:33 AM

You need to look command set :

 

Work Centers > Device Administration > Policy Results > TACACS Command Sets

 

below document help you : (Let us know if this is not the case or am I miss understood your requirement ?)

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-device-admin

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
robad
Level 1
Level 1
In response to balaji.bandi

‎08-01-2021 04:36 AM

Hi, and thanks for your reply.

 

But, It's not what I've asked for.

We already have a command set for the internal user.

 

We need that for the same device, there will be an option the users from External ID Source [AD] and Internal ISE Users will be able to login. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to robad

‎08-01-2021 05:25 AM

Personally, I do not believe that Device can do both, there is only Option First one, and if that fails to the second one.

 

Identity Source Sequence that will contain  AD groups and if needed any local accounts on ISE (in the event that AD can’t be  reachable or failed, you have a local ISE account to log into your equipment).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎08-01-2021 09:18 AM

Hello,

From my understanding you want on the same policy to authenticate and differentiate the authorization between AD Users and ISE Internal Users.(The AD User should not be the same as the ISE internal User).

First you need to create an Identity Source Sequence (Administration Identity -> Identity Management -> Identity Source Sequences)

 

IIS.JPG

 

Under the Authentication Policy choose the Identity sequence you have created :

IIS.JPG

And under Authorization policy should be like this :

IIS.JPG

0 Helpful

Go to solution
robad
Level 1
Level 1
In response to Amine ZAKARIA

‎08-02-2021 12:03 AM

Hi Amine 

Thanks ! It's getting closer for solution.


Now I'm able to login with both AD user & Internal User

 

But, for some reason, the Command Sets are not taking any effect. i.e, the users can login but they have priv 15, and not only the "clear line" command set...

Do you have any Idea why ?

 

BTW - 

In other Policy Sets it's working. the "users" can login and get only "clear line" command set, and admins getting all command.

The only change is that in the other Policy Sets, the "users" are from the same Identity Source as the admins  [AD].

 

Attached the Policy Set + The TACACS Log

policy set.PNGtacacas log.PNG

Go to solution
robad
Level 1
Level 1
In response to robad

‎08-02-2021 12:37 AM

*********

Update

*********

 

IT IS WORKING !

 

I've noticed that something is wrong only with a specific Terminal Server.

There was one command that was missing :

 

aaa authorization commands 15 default local group tacacs+

 

and that's it now it's working !

thanks 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to robad

‎08-02-2021 02:43 AM 

aaa authorization commands 15 default local group tacacs+

Sure this make sense - this  will do first Local and TACACS  later.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents