cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

548
Views
10
Helpful
7
Replies
robad
Beginner

ISE - AD & Internal User Access for the same device

Hi Team,

I'm having some issue that I'm  almost sure that I've succeeded with it in the past.

 

We have a device type "x", and we want the following thing :

 

1. Admins user [an AD group] - will have privilege 15

2. Internal User "user" - will be able to run only specific command [we've created the command set "command"]

 

I can't find/think on a way, that in the same "Device Admin Policy Set"

 

What Am I doing wrong ? and how can I solve it please 

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Amine ZAKARIA
Beginner

Hello,

From my understanding you want on the same policy to authenticate and differentiate the authorization between AD Users and ISE Internal Users.(The AD User should not be the same as the ISE internal User).

First you need to create an Identity Source Sequence (Administration Identity -> Identity Management -> Identity Source Sequences)

 

IIS.JPG

 

Under the Authentication Policy choose the Identity sequence you have created :

IIS.JPG

And under Authorization policy should be like this :

IIS.JPG

View solution in original post

7 REPLIES 7
balaji.bandi
VIP Master

You need to look command set :

 

Work Centers > Device Administration > Policy Results > TACACS Command Sets

 

below document help you : (Let us know if this is not the case or am I miss understood your requirement ?)

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-device-admin

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Hi, and thanks for your reply.

 

But, It's not what I've asked for.

We already have a command set for the internal user.

 

We need that for the same device, there will be an option the users from External ID Source [AD] and Internal ISE Users will be able to login. 

Personally, I do not believe that Device can do both, there is only Option First one, and if that fails to the second one.

 

Identity Source Sequence that will contain  AD groups and if needed any local accounts on ISE (in the event that AD can’t be  reachable or failed, you have a local ISE account to log into your equipment).

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Amine ZAKARIA
Beginner

Hello,

From my understanding you want on the same policy to authenticate and differentiate the authorization between AD Users and ISE Internal Users.(The AD User should not be the same as the ISE internal User).

First you need to create an Identity Source Sequence (Administration Identity -> Identity Management -> Identity Source Sequences)

 

IIS.JPG

 

Under the Authentication Policy choose the Identity sequence you have created :

IIS.JPG

And under Authorization policy should be like this :

IIS.JPG

View solution in original post

Hi Amine 

Thanks ! It's getting closer for solution.


Now I'm able to login with both AD user & Internal User

 

But, for some reason, the Command Sets are not taking any effect. i.e, the users can login but they have priv 15, and not only the "clear line" command set...

Do you have any Idea why ?

 

BTW - 

In other Policy Sets it's working. the "users" can login and get only "clear line" command set, and admins getting all command.

The only change is that in the other Policy Sets, the "users" are from the same Identity Source as the admins  [AD].

 

Attached the Policy Set + The TACACS Log

policy set.PNGtacacas log.PNG

*********

Update

*********

 

IT IS WORKING !

 

I've noticed that something is wrong only with a specific Terminal Server.

There was one command that was missing :

 

aaa authorization commands 15 default local group tacacs+

 

and that's it now it's working !

thanks 

aaa authorization commands 15 default local group tacacs+

Sure this make sense - this  will do first Local and TACACS  later.

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel