Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
5
Helpful
6
Replies

User Active in AD group

Go to solution
lanagna
Level 1
Level 1

‎03-07-2024 10:37 AM

Hi Team, Need clarity for the below scenarios.,

Common input: User abcd got added into AD groups and have both Read only/write permission

Scenario1:User abcd logged in to switch and the session got established, while the user READ a file and performed some activity, by this time user got removed from the Read-only group, since the session is enabled still user can able to perform the Read access inside the active session.

Scenrio2:User abcd logged in to switch and the session got established, while the user READ a file and performed some activity, by this time user got removed from the Read-only group, since the session is enabled still user can able to perform the Read access inside the active session.

Understanding: Since the session is active in both scenarios, it is expected if user try for Read-only but the other thought, when the user got removed from the AD groups it has to auto-exit.

Please confirm the same. Thanks!

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-07-2024 11:00 AM

Good question  - i have never come across this situation to be honest - the user fired in 1min of time. (that is different use case)

depends on how you configured on the ISE - if you have Authorization  cache timeout 0 - then each authorization need to validate against ID source (as per my understanding) 

In that user which is not valid, get authorization error. (this is my understand) 

Since ISE does not hold any cache of user information as per 3.0 version. ( 3.2 or 3.3 may have different - but not that i am aware.)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-08-2024 02:08 PM

As @balaji.bandi said, authentication is separate from authorization. There is no protocol or update mechanism for AD to callback to ISE or the switch (which AD knows nothing about) to say "the user permissions have changed, please invalidate your cache".

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to lanagna

‎03-11-2024 10:57 AM

See the Cisco ISE Device Administration Prescriptive Deployment Guide > Figure 7 TACACS Flow with AAA

Notice how a single authentication occurs followed by multiple authorizations. This is because ISE has already authenticated the user against the identity store for their group membership and privilege level so when additional command authorization requests come in there is no authentication - only authorization - against the TACACS+ Command Sets.  ISE will not re-authenticate the user against the identity store for the remainder of that session on that network device.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-07-2024 11:00 AM

Good question  - i have never come across this situation to be honest - the user fired in 1min of time. (that is different use case)

depends on how you configured on the ISE - if you have Authorization  cache timeout 0 - then each authorization need to validate against ID source (as per my understanding) 

In that user which is not valid, get authorization error. (this is my understand) 

Since ISE does not hold any cache of user information as per 3.0 version. ( 3.2 or 3.3 may have different - but not that i am aware.)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
lanagna
Level 1
Level 1
In response to balaji.bandi

‎03-08-2024 03:43 AM

Thanks for the input and views.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-08-2024 02:08 PM

As @balaji.bandi said, authentication is separate from authorization. There is no protocol or update mechanism for AD to callback to ISE or the switch (which AD knows nothing about) to say "the user permissions have changed, please invalidate your cache".

Go to solution
lanagna
Level 1
Level 1

‎03-11-2024 03:57 AM

Thanks @thomas for briefing the query with additional inputs. Here I had a typo in the scenario2 which has to actual Read-write[changed below and marked additional query]., So the above input is applicable for Read-Write also or it will differ - when the user establishes the session and writes some config??

Scenrio2: User abcd logged in to switch and the session got established, while the user a file and performed some activity, by this time user got removed from the Read-Write group, Note: Once Read-write permission was removed for the active user it is getting reflected immediately in active session. i.e. If I'm the user I can't able to perform any write actions.

 

Scenario1: User abcd logged in to switch and the session was established, while the user READ a file and performed some activity, by this time user was removed from the Read-only group, since the session is enabled still user can able to perform the Read access inside the active session.

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to lanagna

‎03-11-2024 10:57 AM

See the Cisco ISE Device Administration Prescriptive Deployment Guide > Figure 7 TACACS Flow with AAA

Notice how a single authentication occurs followed by multiple authorizations. This is because ISE has already authenticated the user against the identity store for their group membership and privilege level so when additional command authorization requests come in there is no authentication - only authorization - against the TACACS+ Command Sets.  ISE will not re-authenticate the user against the identity store for the remainder of that session on that network device.

Go to solution
lanagna
Level 1
Level 1

‎03-14-2024 11:47 AM

Thanks @thomas  for the more input

0 Helpful
Customers Also Viewed These Support Documents