Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5322
Views
2
Helpful
4
Replies

TACACS + ISE 2.0 Deny Access

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-15-2016 03:46 PM

I'm looking for the "Deny Access" shell profile that we had with ACS on an ISE 2.0 deployment with Device Admin license active.

The use case is to authenticate the users with a device admin policy but not allow them to get even privilege level 0 access to the device command prompt. In ACS 5.x we use the "Deny access" shell profile as the default Authorization. I don't see an equivalent profile (or how to make one) in ISE. The "Create New Shell Profile" section doesn't provide a place to choose "Deny Access".

This guide: Configure ISE 2.0: IOS TACACS+ Authentication and Command Authorization based on AD group membership - Cisco seems to recommend using "DenyAllCommands". However that still allows the use to login and get a command prompt on the devices.

1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hslai

‎03-25-2016 08:13 AM

Yes - thanks for the follow up. My customer had tried and confirmed the work around you suggested still presents an unauthorized user with a command prompt on the NAD, albeit with no ability to execute any command.

It was not a show stopper though - I am recommending they wait until ISE 2.1 for the proper fix vs. jiggering the external authentication (currently a simple AD join) to use a specific LDAP OU. That opens up other complexities such as needing to configure LDAPS to do it securely, getting proper certificates on the DC for that, etc.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-15-2016 04:11 PM

Yep, this is a known issue -- CSCuy46322 DefaultDeny access present in ACS is missing in ISE's T+

It will be addressed in the up-coming ISE release. For now, you should be able to create your own T+ shell profile with no attribute. Since it's your own, it's best to give it a name other than "Deny All Shell Profile", in order to avoid name collision later in the upgrade.

Screen Shot 2016-03-15 at 4.07.05 PM.png

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hslai

‎03-15-2016 04:53 PM

Thanks for the quick and thorough reply!

That's an embarrassing one to have to explain to the customer. Still - having a work around is better than not having one.

Cheers.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎03-25-2016 07:58 AM

It turns out my workaround is not effective as the deny-all shell profile needs to send deny access to NADs. Please use the workaround suggested included in the bug instead.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hslai

‎03-25-2016 08:13 AM

Yes - thanks for the follow up. My customer had tried and confirmed the work around you suggested still presents an unauthorized user with a command prompt on the NAD, albeit with no ability to execute any command.

It was not a show stopper though - I am recommending they wait until ISE 2.1 for the proper fix vs. jiggering the external authentication (currently a simple AD join) to use a specific LDAP OU. That opens up other complexities such as needing to configure LDAPS to do it securely, getting proper certificates on the DC for that, etc.

0 Helpful
Customers Also Viewed These Support Documents