Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1333
Views
0
Helpful
19
Replies

tacacs+ authorization

adamgibs7
Level 6
Level 6

‎05-11-2018 03:02 PM - edited ‎02-21-2020 10:55 AM

Dears,

whenever a ISE server fails I am able to login in the switches and firewall but I m not able to change any configuration becz it says me that authorization failed,

so I have to configure the privilege level commands in the switch and firewall also for successful authorization , If so then what is the use of ISE working as central place of authentication & authorization

 

Thanks

Labels:
0 Helpful
19 Replies 19

Francesco Molino
VIP Alumni
VIP Alumni
In response to adamgibs7

‎05-20-2018 02:04 PM

The config looks like ok but we need to troubleshoot when you've the issue.
Let me know when we can TS your issue in PM. We can do a webex.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

adamgibs7
Level 6
Level 6
In response to Francesco Molino

‎05-22-2018 12:16 PM

Dear Francesco

 

I'm in the country with time zone GMT +4, I can arrange according to your timezone, can i know your time zone and are you working for Cisco TAC, i have case opened for the EAP chaining and the TAC is not able to solve since one month has passed, if you are in Cisco TAC i can provide you the case number.

 

thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to adamgibs7

‎05-23-2018 05:24 PM

I'm not working for Cisco TAC.
I'm also within the same timezone (EST). If you're available this WE, send me a PM and we will do a webex.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

adamgibs7
Level 6
Level 6
In response to Francesco Molino

‎05-24-2018 01:06 PM

Dears

WebEx will not be possible in EST time hence I don't have full access to the devices, but instead you can instruct me for the future actions that I can be carried out by me,

 

so you are confirming that with ASA I shld not fall into the case that when the ISE is not reachable and when I m trying to do any changes on the ASA it shld not prompt me with an authorization failed error.

 

thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to adamgibs7

‎05-24-2018 04:12 PM

Here the config I would do for ASA:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (INSIDE) host 1.1.1.
!
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL --> Do you want serial connections being allowed through tacacs+?
aaa authentication secure-http-client
aaa authentication enable console TACACS+ LOCAL
!
aaa authorization exec authentication-server auto-enable --> is ASA 9.2(1) and above
aaa authorization http console TACACS+ --> If ASA 9.4 and above because since them exec is separated for ASDM from other types of connections.
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa local authentication attempts max-fail 5
aaa authentication login-history

This config should work and not giving you any authorization failure when ISE is down/not reachable.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents