Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4084
Views
0
Helpful
6
Replies

ISE TACACS command set not functioning as expected.

Alex L.
Level 1
Level 1

‎03-06-2019 07:44 AM

Hi Everyone, I'm having an issue with TACACS commands sets where all the commands that I am trying to deny after I enter conf t are not being denied, they are still being allowed. I'm attaching a screenshot of the command set. I'm trying to isolate the "username" command but I can't get it to deny any which way I try it. Any help would be greatly appreciated. Screenshots attached.  Maybe I'm just doing it completely wrong? Using ISE 2.3.

Capture.PNG

1 person had this problem
0 Helpful
6 Replies 6

Damien Miller
VIP Alumni
VIP Alumni

‎03-06-2019 06:06 PM

I would start by confirming the basics again. Ensure that your testing is hitting the correct command set, assuming yes, then confirm the configuration on the device. Ensure that you are not missing the aaa authorization commands.

Lastly, I think that the command should just be username, then in the argument you would have *. I'm not certain it would work as it is currently and I don't have my lab available to test right now.

0 Helpful

nmg-craft
Level 1
Level 1
In response to Damien Miller

‎05-05-2021 08:39 PM

i m also facing same issue , i wants to deny some commands but its not working , can you please suggest something on this . is this a right way to deny some commands on network devices .

 

 

Capture.PNG

0 Helpful

Nadav
Level 7
Level 7
In response to nmg-craft

‎05-06-2021 09:07 AM

Not quite. The "command" portion works according to the wildcard paradigm (?,*) and the arguments are according to the regex paradigm (.*,.+ etc.). So if you wanted to block anything beginning with hostname you'd use "hostname" for command and ".*" for argument.

0 Helpful

Nadav
Level 7
Level 7

‎03-07-2019 12:38 AM

Adding to what's been said:

 

The AAA CLI configuration on the NAD has to be correct. Under "aaa authentication login" you should make sure that the authentication list used for the VTY shell is configured. 

 

Other than that, you can see in the TACACS livelogs exactly which authz profile is being enforced on the connection.

0 Helpful

rajitha.ssr
Level 1
Level 1

‎05-20-2020 04:35 AM

Even i am seeing this issue with command sets. 

 

The commands if given with complete arguments are allowed. However, when i am giving * in the arguments, it is not working for the user.  ex - for netscalar config command sets, if i give complete command stat ha node, access is working and if i give stat ha * , it fails for user. 

 

ISE version is 2.4 

0 Helpful

Nadav
Level 7
Level 7
In response to rajitha.ssr

‎05-06-2021 02:22 AM - edited ‎05-06-2021 09:08 AM

Use this as a reference:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html 

 

If you feel that the wildcards aren't being honored by your TACACS+ session then it's not a network device issue rather an ISE issue. Make sure you understand how to implement the command sets according to the reference. From my experience these wildcards work fine. 

 

The "command" portion works according to the wildcard paradigm (?,*) and the arguments are according to the regex paradigm (.*,.+ etc.).

 

It's also worth noting whether the failed command is part of a whitelist or blacklist set (blacklist permits commands not in the command set). You can debug the questionable command set via Operations > Reports > Reports > Device Administration > TACACS Authorization. If a command fails, you'll see why it failed via the details of that report.

 

 

0 Helpful
Top