Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
1
Replies

Nexus Authenticating domain users even if user is not authorized

Angus Bishop
Level 1
Level 1

‎05-04-2017 04:13 AM - edited ‎03-11-2019 12:41 AM

Hi Experts 

I am configuring Nexus  version 7.0(3)  with ISE 2.1 for aaa authentication ( TACACS )

During the configuration am facing a problem that when i try to  login to the nexus  , all the domain users gets authenticated  ( identity store is AD in ISE ) and it comes in the # prompt  in Nexus . ( attached ISE auth configuration ) 

Once after the login is success only the authorised users configured under the authorization rule will have  permission to run the commands , 

Does anyone had came across the similar issue on the Nexus that authentication happens first and then it checks for the authorization .

I am facing the issue only on Nexus , other  devices are working fine 

aaa configuration 

aaa authentication login default group TACACS
aaa authentication login console local
aaa authorization config-commands default group TACACS
aaa authorization commands default group TACACS
aaa accounting default group TACACS
tacacs-server directed-request

thnx

Angus

Labels:
Preview file
12 KB
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎05-04-2017 02:03 PM

Unfortunately, this is a known problem with Nexus and ISE Tacacs implementation. This is because ISE decouples Authentication and Authorization with Tacacs. The following post has a workaround to get this to work:

https://communities.cisco.com/thread/70638?start=0&tstart=0

0 Helpful
Customers Also Viewed These Support Documents