Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
5
Helpful
3
Replies

ISE IOS CLI Authentication Quandry

Go to solution
bret
Level 3
Level 3

‎04-28-2015 07:35 AM - edited ‎03-10-2019 10:41 PM

Im trying to push the limits of ISE, since tacacs+ isnt supported yet. The goal is to authenticate switches and routers using radius against ISE. I think I am on the right track, since I can login against ISE. However, when I login to enable the ISE Authorizations log shows Radius status fail, with a failed attempt from user $enabl15$.

I have my device added to ISE. An authorization profile has been created for each privilege level, I am using policy sets and have the correct authz and autht policies. Below are the examples of my ISE configuration and router configuration. Hopefully it helps fix my problem, or it may help the next troller with success of their own configuration.

Auth Profile: When choosing priv-lvl=15 after hitting save, web auth is automatically selected.

authprofile

Policy Set:

router configuration

aaa group server radius Rad_AUTH1
 server name Rad_Auth
!
aaa authentication login CONSOLE local
aaa authentication login Rad_Auth group Rad_AUTH1 local none
aaa authentication enable default group Rad_AUTH1 enable none
aaa authorization exec default none 
aaa authorization exec Rad_Auth group Rad_AUTH1 if-authenticated 
aaa accounting exec default start-stop group radius
!

radius server Rad_Auth
 address ipv4 x.x.x.x auth-port 1645 acct-port 1646
 timeout 3
 key 7 052F302B3B7E491B41

line vty 0 4
 session-timeout 30 
 exec-timeout 30 0
 authorization exec Rad_Auth
 login authentication Rad_Auth
 transport input ssh

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to bret

‎05-03-2015 10:56 PM

Glad you got your own issue resolved! Also, thank you for taking the time to come back and post the solution here! (+5 from me). 

Since the issue is resolved you should mark the thread as "answered" :)

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎04-28-2015 03:17 PM

Hmm, I don't see anything wrong from the surface...the only thing I have not done in comparison to your config is returning the Advanced Radius Attribute of "Service-Type = Login" Can you try removing it and see if makes a difference?

Also, have you done any debugs? If not perhaps you can debug aaa authorization and debug radius and then post the results here. 

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
bret
Level 3
Level 3
In response to nspasov

‎04-29-2015 04:04 AM

Thanks for the reply Neno. I got it worked out and will be submitting a new document for future trollers. There were a couple things I had to change in both ISE and in IOS. 

In IOS
aaa authentication login default group radius local none
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable none
aaa authorization exec default group radius local 

 

In ISE the AuthZ and AuthT policies worked, but didnt give the results I wanted. For example, since radius uses the $enabl$ as a username for the privilege level I had to put a deny at the end of each policy. Without it, enable would go to the next default rule, it also allowed a priv 5 to type in enable and get priv 15 access. 

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to bret

‎05-03-2015 10:56 PM

Glad you got your own issue resolved! Also, thank you for taking the time to come back and post the solution here! (+5 from me). 

Since the issue is resolved you should mark the thread as "answered" :)

0 Helpful
Customers Also Viewed These Support Documents