tacacs+ authorization

adamgibs7 · ‎05-11-2018

Dears,

whenever a ISE server fails I am able to login in the switches and firewall but I m not able to change any configuration becz it says me that authorization failed,

so I have to configure the privilege level commands in the switch and firewall also for successful authorization , If so then what is the use of ISE working as central place of authentication & authorization

Thanks

Francesco Molino · ‎05-11-2018

Hi

What do you mean by you had to configure privilege command on the switch?
Which privilege are you using?
Can you please share your aaa config of the switch for example?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎05-11-2018

Dear Francesco

I had not configured any privileges on the switch or firewall, but I want to know do I have to configure in the below situations:

when a ISE fails his reachability to the AD

OR

WHEN the ISE itself is out of the network ( crashed) situation.

Thanks

Francesco Molino · ‎05-12-2018

Ok got it. Can you please share your switch config?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎05-13-2018

Dear

Please find the below config

below config for asa

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (INSIDE) host 1.1.1.
aaa-server RADIUS protocol radius
aaa-server RADIUS (INSIDE) host 1.1.1.1
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server
aaa authentication login-history

below config for switch

sh run | in aaa
aaa new-model
aaa group server tacacs+ xyz
aaa group server radius xyz-ISE
aaa authentication login default group xyz local
aaa authentication login no-auth local
aaa authentication enable default enable
aaa authentication dot1x default group xyz-ISE local
aaa authorization config-commands
aaa authorization exec default group xyz local
aaa authorization commands 1 default group xyz local
aaa authorization commands 15 default group xyz local
aaa authorization network default group xyz-ISE local
aaa accounting dot1x default start-stop group xyz-ISE
aaa accounting exec default start-stop group xyz
aaa accounting commands 1 default start-stop group xyz
aaa accounting commands 15 default start-stop group xyz
aaa server radius dynamic-author

Francesco Molino · ‎05-13-2018

Can you change your config with following lines and test again please:

aaa authorization exec default group xyz local if-authenticated
aaa authorization commands 1 default group xyz local if-authenticated
aaa authorization commands 15 default group xyz local if-authenticated

Can you share your local user config please?

Try using the following before testing again:

username test privilege 15 secret 0 test

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎05-14-2018

Dear Francesco

Thanks for the reply

before applying I read the below, also what is the replace of this command in ASA FW

if-authenticated Allows the user to access the requested function if the user is authenticated. The if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated. Using if-authenticated as the first method is equivalent to not having an
authorization if authentication has succeeded.

Francesco Molino · ‎05-14-2018

Yes that's why it is at the end of each authorization command. Can you share your local user config?

Also when trying while tacacs is down, can you run a debug aaa to see what happens?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎05-15-2018

username xyz secret password cisco

can't provide debugs as couldn't able to schedule a downtime

Francesco Molino · ‎05-15-2018

Ok. how are you testing then tacacs failover to local? When do you have a maintenance window to test it?
Your secret looks weird.
Normally you would use the following command to configure your user:
username xxxx privilege 15 secret xxxxx

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎05-15-2018

Dear Francesco

username xxxx privilege 15 secret xxxxx

this command will directly land the user in privy 15

thanks

Francesco Molino · ‎05-16-2018

Yes this is what you want when your tacacs fails?
Otherwise, put it in any other privilege and you'll need to type in enable to move to privilege 15.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎05-16-2018

Dear Francesco

The authentication will drop me on privilege mode but when i will execute command it will prompt by authorization failed Hence the if-authentication command will work for switches but what about ASA firewall's ????

thanks

Francesco Molino · ‎05-16-2018

Normally it should work. Your ise is down and not reachable when you tested right?

Attach your asa and switch config file in text and I'll reproduce your infrastructure in lab to see what's going on

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

adamgibs7 · ‎05-19-2018

Dear Francesco

Have already shared the configs in the above post

Thanks