05-11-2018 03:02 PM - edited 02-21-2020 10:55 AM
Dears,
whenever a ISE server fails I am able to login in the switches and firewall but I m not able to change any configuration becz it says me that authorization failed,
so I have to configure the privilege level commands in the switch and firewall also for successful authorization , If so then what is the use of ISE working as central place of authentication & authorization
Thanks
05-11-2018 08:44 PM
05-11-2018 09:38 PM
Dear Francesco
I had not configured any privileges on the switch or firewall, but I want to know do I have to configure in the below situations:
when a ISE fails his reachability to the AD
OR
WHEN the ISE itself is out of the network ( crashed) situation.
Thanks
05-12-2018 07:28 PM
05-13-2018 09:09 AM
Dear
Please find the below config
below config for asa
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (INSIDE) host 1.1.1.
aaa-server RADIUS protocol radius
aaa-server RADIUS (INSIDE) host 1.1.1.1
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server
aaa authentication login-history
below config for switch
sh run | in aaa
aaa new-model
aaa group server tacacs+ xyz
aaa group server radius xyz-ISE
aaa authentication login default group xyz local
aaa authentication login no-auth local
aaa authentication enable default enable
aaa authentication dot1x default group xyz-ISE local
aaa authorization config-commands
aaa authorization exec default group xyz local
aaa authorization commands 1 default group xyz local
aaa authorization commands 15 default group xyz local
aaa authorization network default group xyz-ISE local
aaa accounting dot1x default start-stop group xyz-ISE
aaa accounting exec default start-stop group xyz
aaa accounting commands 1 default start-stop group xyz
aaa accounting commands 15 default start-stop group xyz
aaa server radius dynamic-author
05-13-2018 07:36 PM
Can you change your config with following lines and test again please:
aaa authorization exec default group xyz local if-authenticated
aaa authorization commands 1 default group xyz local if-authenticated
aaa authorization commands 15 default group xyz local if-authenticated
Can you share your local user config please?
Try using the following before testing again:
username test privilege 15 secret 0 test
05-14-2018 01:20 PM
Dear Francesco
Thanks for the reply
before applying I read the below, also what is the replace of this command in ASA FW
if-authenticated Allows the user to access the requested function if the user is authenticated. The if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated. Using if-authenticated as the first method is equivalent to not having an
authorization if authentication has succeeded.
05-14-2018 09:26 PM
05-15-2018 12:02 PM
username xyz secret password cisco
can't provide debugs as couldn't able to schedule a downtime
05-15-2018 06:29 PM
05-15-2018 09:18 PM
Dear Francesco
username xxxx privilege 15 secret xxxxx
this command will directly land the user in privy 15
thanks
05-16-2018 05:00 AM
05-16-2018 12:46 PM
Dear Francesco
The authentication will drop me on privilege mode but when i will execute command it will prompt by authorization failed Hence the if-authentication command will work for switches but what about ASA firewall's ????
thanks
05-16-2018 03:42 PM
05-19-2018 07:02 AM - edited 05-19-2018 07:04 AM
Dear Francesco
Have already shared the configs in the above post
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide