Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
3
Replies

Unable to see enforce command sets using cisco ISE device admin demo

henry chrizostom
Level 1
Level 1

‎08-08-2023 09:25 PM

I am doing evaluation for the cisco ISE device admin demo license, but users are able to authenticate properly and hit proper authorization policy but i can't enforce restrictions using command sets in the authorization policy

 

*************my switch configSecurity.png

aaa new-model
aaa group server tacacs+ eh_group
server name EH
ip tacacs source-interface Vlan1
aaa authentication login ehgroup group eh_group local
aaa authentication enable default group eh_group enable
aaa authorization config-commands
aaa authorization exec ehgroup group eh_group local if-authenticated
aaa authorization commands 0 ehgroup group eh_group local if-authenticated
aaa authorization commands 1 ehgroup group eh_group local if-authenticated
aaa authorization commands 7 ehgroup group eh_group local if-authenticated
aaa authorization commands 15 ehgroup group eh_group local if-authenticated
aaa accounting exec ehgroup start-stop group tacacs+ group eh_group
aaa accounting commands 0 ehgroup start-stop group eh_group
aaa accounting commands 1 ehgroup start-stop group eh_group
aaa accounting commands 15 ehgroup start-stop group eh_group

line vty 0 4
exec-timeout 300 0
authorization commands 0 ehgroup
authorization commands 1 ehgroup
authorization commands 15 ehgroup
authorization exec ehgroup
accounting commands 0 ehgroup
accounting commands 15 ehgroup
login authentication ehgroup

 

0 Helpful
3 Replies 3

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-09-2023 04:36 AM

Hi @henry chrizostom,

Your configuration looks fine to me. However, report you are checking is about authentication. Please try and check TACACS Authorization report, where you would see which shell profile and command set were assigned to specific session. Based on that, it should be clear to you what is going on.

Kind regards,

Milos

0 Helpful

jovinco25
Level 1
Level 1

‎08-09-2023 12:02 PM

Thank you for your response. I am unable to locate any authorization logs in the Cisco ISE portal, which is unusual. I don't understand why I can't see authorization logs even though I've verified all the configurations are correct.

could it be the reason that I am using the Cisco ISE device admin demo license?

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jovinco25

‎08-09-2023 12:48 PM

Hi @jovinco25,

No, I don't think it has anythng to do with demo mode, as it is intended to provide every functionality, for a limited number of users and time.

Are you sure you are logging under lines 0-4? Could it be all of those are taken, and you are testing under 5-15?

Kind regards,

Milos

0 Helpful
Customers Also Viewed These Support Documents