08-08-2023 09:25 PM
I am doing evaluation for the cisco ISE device admin demo license, but users are able to authenticate properly and hit proper authorization policy but i can't enforce restrictions using command sets in the authorization policy
*************my switch config
aaa new-model
aaa group server tacacs+ eh_group
server name EH
ip tacacs source-interface Vlan1
aaa authentication login ehgroup group eh_group local
aaa authentication enable default group eh_group enable
aaa authorization config-commands
aaa authorization exec ehgroup group eh_group local if-authenticated
aaa authorization commands 0 ehgroup group eh_group local if-authenticated
aaa authorization commands 1 ehgroup group eh_group local if-authenticated
aaa authorization commands 7 ehgroup group eh_group local if-authenticated
aaa authorization commands 15 ehgroup group eh_group local if-authenticated
aaa accounting exec ehgroup start-stop group tacacs+ group eh_group
aaa accounting commands 0 ehgroup start-stop group eh_group
aaa accounting commands 1 ehgroup start-stop group eh_group
aaa accounting commands 15 ehgroup start-stop group eh_group
line vty 0 4
exec-timeout 300 0
authorization commands 0 ehgroup
authorization commands 1 ehgroup
authorization commands 15 ehgroup
authorization exec ehgroup
accounting commands 0 ehgroup
accounting commands 15 ehgroup
login authentication ehgroup
08-09-2023 04:36 AM
Your configuration looks fine to me. However, report you are checking is about authentication. Please try and check TACACS Authorization report, where you would see which shell profile and command set were assigned to specific session. Based on that, it should be clear to you what is going on.
Kind regards,
Milos
08-09-2023 12:02 PM
Thank you for your response. I am unable to locate any authorization logs in the Cisco ISE portal, which is unusual. I don't understand why I can't see authorization logs even though I've verified all the configurations are correct.
could it be the reason that I am using the Cisco ISE device admin demo license?
08-09-2023 12:48 PM
Hi @jovinco25,
No, I don't think it has anythng to do with demo mode, as it is intended to provide every functionality, for a limited number of users and time.
Are you sure you are logging under lines 0-4? Could it be all of those are taken, and you are testing under 5-15?
Kind regards,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide