ISE TACACS Command Set not applied to SSH session

cpaquet · ‎01-24-2020

See attached config and log results.

When Admin logs with SSH on Switch, ISE assigned the proper shell profile but never assign the Command Set when he types commands. See figure "TACACS Log Pass authorization but without Command set applied.jpg"

Please advice why wouldn't ISE assign also a command set.

Thanks.

Colby LeMaire · ‎01-24-2020

Did you test out some commands? That output you show may be just because that particular request was for exec authorization. Test some commands on the device and see if you are seeing those command authorization requests in the TACACS Live Logs. Also, make sure your AAA config on the device is setup for command authorization and command accounting.

cpaquet · ‎01-25-2020

Hi Colby,

A. Indeed the aaa authorization commands for TACACS are on the switch. See at the end of this post the commands applied.

B. As mentioned earlier, the Profile applied properly to the TACACS session.

C. We tested the following scenarios and ISE never selected a command set:

1. We tested with different admin accounts, some with profile level 1 or 15. We had different AuthZ policies for each of the different exec profile. In every case, ISE applied the proper profile level in every case.

2. Then, we created an AuthZ policy that was pointing to only a Command Set (no priv level associated with the policy). Again, ISE didn't applied the command set.

3. We rebooted ISE to no avail.

I have since left the site of this customer. On Monday, they will open a TAC case.

Different issue, but potentially related, we experienced a similar issue this AM with 1X. Wired 1X was working perfectly with PEAP and getting the dACL from ISE. Then, this AM, for the same AuthZ Profile, we added the Airspace ACL, taking care to copy the name of the ACL from the WLC and pasting it in the AuthZ profile. During out testing, we rebooted one of the wired 1X computer which had been successfully authorized prior, to find that it was in 'unauthorized' state and thus no dACL was pushed to it. Back to ISE, we removed the Airspace ACL from the Authorization profile, rebooted the machine, and it was then again authorized on the network. I added the "radius-server attribute value 61 extended" to the switch to make sure it was telling ISE it was a wired connection, but it didn't fix the problem. Once we removed the airspace acl from the Corp 1X wired authorization profile, the machine had no prob to be authorized on the network.

Switch 3650 16.3(6)

AAA TACACS+ COMMANDS ON SWITCH:

tacacs server ISETAC
address ipv4 172.18.50.2
key sharedsecret

!

aaa group server tacacs+ myTplusServers
server name ISETAC

!
aaa authentication login MyTplus group myTplusServers local
aaa authorization exec MyTplus group myTplusServers local
aaa authentication enable default group myTplusServers enable

aaa authorization commands 1 MyTplus group myTplusServers if-authent
aaa authorization commands 15 MyTplus group myTplusServers if-authent
aaa accounting exec default start-stop group myTplusServers

!

line vty 0 15
login authentication MyTplus
authorization exec MyTplus

authorization commands 1 MyTplus
authorization commands 15 MyTplus
!

Thanks

Greg Gibbs · ‎01-27-2020

I can't open the images you attached, but the AAA switch configuration looks correct. I've used ISE 2.4 patch 11 with TACACS+ command authorization on a Cat 3650, Cat 9300, and CSRv, so it definitely works. It's probably best for your customer to work with TAC to investigate.

On the issue with the Airespace ACL, the switch doesn't understand the Airespace ACL AV-pair, so it will cause problems with your wired dot1x session. You need to use separate Authorization Profiles for Wired versus Wireless.

Cheers,

Greg