cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6608
Views
5
Helpful
13
Replies
adamgibs7
Frequent Contributor

Privilege commands sh running-config

Dears,

 

 i am following the below link

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc12

 

I have 2 small problem but I m not able to figure them out becz I'm new to ISE 2.1

 

I have a privilege level of 2 with a command set of all show commands in which the user is not able to execute  the show running-configuration command it gets authorization failed error on the terminal but nothing comes on the tacacs logs of ISE

 

User which are assigned priv level (15 and 2 etc etc) after login they are directly dropping to privilege mode (#) without using the enable secret configured on the device I want each user forcibly to use enable secret password, on which page of ISE I can find the enable secret used of ise instead of local device enabled secret, ISE is integrated with AD and network operators users authentication ( which will issue only show command)  will be authenticated on AD, i have some local users configured on ISE server in their settings i can see the enable secret option but for those who are authentication on the AD for them how we can force to use them enable secret after their password.

is it possible or it is a default behavior that enable secret will be bypass when it is authenticated on the AD. ??

 

I tried some set of command set to shell privilege level 7 but it doesn't work, it works only with privilege shell level 15, is this the correct behavior of the ISE 2.1

 

aaa authentication login default group xyz local
aaa authentication login no-auth local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group xyz local
aaa authorization commands 2 default group xyz local
aaa authorization commands 15 default group xyz local
aaa authorization network default group xyz local
aaa accounting exec default start-stop group xyz
aaa accounting commands 2 default start-stop group xyz
aaa accounting commands 15 default start-stop group xyz

1 ACCEPTED SOLUTION

Accepted Solutions

Difference in working is for asdm only.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

13 REPLIES 13
Francesco Molino
VIP Mentor

Hi 

 

Ok let's take all your questions.

 

First of all you can push privileges for a user but these privileges and commands attached to them have to be defined in each switch. If privileges  aren't defined then it takes the previous level and it does that until it find a valid privilege.

For example, you didn't configure any privilege command in your switch and you're pushing out privilege 7. Then the user will get the default configured privilege defined with a lower value than 7; it will be privilege 1.

In privilege 1, you can't run show running-config. To be as precise as possible, show run command will show part of config that user had right on. 

Here an explanation:

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

 

Then, this means you can assign privilege 15 for simplicity and filter commands based on command set.

 

If you push privilege15, with combination of aaa authorization exec command, the user will be pushed into privileged mode directly.

To avoid that, you can push default privilege x and maximum privilege 15 from ISE. This will force the user to arrive into user mode and issue enable command to get into privileged mode.

 

Your default authentication is based on tacacs and this means that your enable password will be authenticated through tacacs. Take a look here :

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1055538

 

Last question was why commands are running  with privilege 15 and not with privilege 7. This is the same explanation as before. If privilege 7 isn't defined or isn't didn't defined with right commands then it's not gonna work. You need to define privilege 7 locally on the switch. This isn't an ISE issue or whatever, this is a switch misconfiguration.

Here documentation on how to configure privilege levels :

https://learningnetwork.cisco.com/docs/DOC-15878

https://learningnetwork.cisco.com/blogs/community_cafe/2015/10/23/cisco-ios-privilege-levels

 

Hope I've answered all your questions 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Francesco,

 

Thanks for the reply, U r a VIP Green I don't have much deeper knowledge in ISE but I have noticed the below.

 

First of all you can push privileges for a user but these privileges and commands attached to them have to be defined in each switch. If privileges  aren't defined then it takes the previous level and it does that until it find a valid privilege.

For example, you didn't configure any privilege command in your switch and you're pushing out privilege 7. Then the user will get the default configured privilege defined with a lower value than 7; it will be privilege 1.

In privilege 1, you can't run show running-config. To be as precise as possible, show run command will show part of config that user had right on. 

Please find the attached screenshot I have specified in switch and in ISE the privilege 7 commands still it is not working. The command set work only with shell priv 15 , though the command set are restricted to interface level it is showing me full running-configuration of the switch not the relevant configuration for the commands

if I have to specify in each switch the privilege commands then what is the use of centralized system ISE ??? so this mean ISE will only work in shell profile 15 with command set ??? Please confirm

 

SW(config)#do sh run | in privilege
privilege interface level 7 shutdown
privilege interface level 7 no shutdown
privilege interface level 7 no
privilege configure level 7 interface
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 reload

 

If you push privilege15, with combination of aaa authorization exec command, the user will be pushed into privileged mode directly.

To avoid that, you can push default privilege x and maximum privilege 15 from ISE. This will force the user to arrive into user mode and issue enable command to get into privileged mode.

please find the attached screenshot it doesn't accepts without a value I have to specify some value.so I have specified default privilege 1 and the max privi 15 so it prompts me the enabled password, it is fine but it is using the locally mentioned  enable secret for level 15 by this command  (aaa authentication enable default enable) if I changed to (aaa authentication enable default group xyz enable ) then it will check on the ISE first and incase of ise failure it check locally but I don't see any option to specifiy in ISE enable secret ??? 

 

 

Regards

Adam

Yes privilege has to defined locally and not from ISE. Usually, what we see the most today is giving privilege 15 with command set filtering commands. There's no way to push privilege from ISE I'm aware of.

When you login with privilege 7 are you already in enable mode or user mode?
If user mode, you need to go to enable mode using enable 7.
If you are pushed in privileged mode after ISE authentication, you can have access to commands you configured, you can also verify it by doing show privilege and see in which privilege you are.

For enable, I gave you a link in my previous answer, you have a user like $enab15$ (on the user creation) on ise with the password you want.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for clarifying but only the below is not clarified

 

 By using this command  (aaa authentication enable default enable) it will use locally mentioned  enable secret if I changed to (aaa authentication enable default group xyz enable ) then it will check on the ISE for enable secret and incase of ise failure it will check locally but on which page I can configure enable secret in ISE ???  I don't have any user locally on the ISE to use their enable secret,, Please find the attached screenshot.

 

The link provided below which mentioned as use enable password of the device and not from the ISE.

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1055538

 

Ok then if you don't have any local user, your enable password would be your user password. Have you tried it?

Can you share your ISE tacacs live log?

 

You should get something like that to see that your enable password has been entered and accepted:

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Francesco,

the image in your last post didn't show properly,

there is some confusion in my writing I think so, lets keep the local user privileges aside, and lets speak of only enable secret password for user level 15

 

MY user is in AD and not in the ISE

 

aaa authentication enable default enable  -----what does this mean ?? if I m not wrong use local enable secret

aaa authentication enable default xyz enable---what does this mean??? if I m not wrong use ISE enable secret and if ISE is not accessible then use locally configured enable secret

 

Thanks 

Yes you're correct.

First one is local enable password and the 2nd line is enable password through ISE and if not available then fallback locally.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

that's great,

 

if the user is created in the ISE u can specify the enable password for that user no issues with this solution,

 

If the user is not in the ISE instead he is in the AD then from where he will use the enable password ??

 

The fallback as you mentioned will be used only when the ISE host itself is down ?? please correct me

 

thanks

 

When using AD, the enable password would be the same as the user password.

 

Yes the fallback would be when ISE isn't reachable from the device: could be ISE is down or an acl blocking access to ISE for example.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks Francesco,

 

 I got authorization command failure message when I am switching to config mode on the ASA now I m stuck to exit except a hard reload and I was using the same settings of ISE which I was using for switches priv 1 and max 15.

why it happened so ??

 

aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa authorization exec authentication-server

Tacacs works a bit different on ASA.

Take a look on this documentation guide:

https://communities.cisco.com/servlet/JiveServlet/previewBody/68193-102-2-125120/How-To_TACACS_for_ASA.pdf

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Francesco,

 

Can u highlight what is different may be my eyes are not able to figure it out ,

 

as it seem to me the same as switches, I have kept shell profile 1 and maximum 15 so that user can use the enable password,  in this case the user will use his own login password as a enable password,

Difference in working is for asdm only.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube