cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
0
Helpful
2
Replies
Highlighted
Beginner

Best "Authorization" config if TACACS server is unreachable

Hi All,

 

I'm implementing Cisco ISE for Tacacs and I'm having some trouble with authorization config for vty and console lines. Below are the 2 options I've done and I need some advise.

 

OPTION1 - Goes straight into privileged mode. The downside is that a user with restricted privilege (<15) will have full level 15 permissions if tacacs becomes unreachable, because he is already in privileged mode.


SW-LAB#sh run | s aaa
aaa new-model
aaa group server tacacs+ ISE-SRV
server-private 10.X.X.X key 7 ***********
server-private 10.X.X.X key 7 ***********
ip tacacs source-interface Vlan10
aaa authentication login default group ISE-SRV local
aaa authorization console
aaa authorization commands 0 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 1 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 15 AUTHORIZE group ISE-SRV if-authenticated
aaa accounting commands 0 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 1 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 15 ACCOUNTING start-stop group ISE-SRV
aaa session-id common
SW-LAB#
SW-LAB#
SW-LAB#sh run | s line
line con 0
exec-timeout 5 0
privilege level 15
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
logging synchronous
line vty 0 4
privilege level 15
exec-timeout 5 0
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
SW-LAB#


OPTION2 - This solves the issue above because the users don't go straight into privileged mode and if tacacs becomes unreachable it will request a local enable password. Also It will not affect users with higher privileges as they were already in privileged mode.

 

SW-LAB#sh run | s aaa
aaa new-model
aaa group server tacacs+ ISE-SRV
server-private 10.X.X.X key 7 ***********
server-private 10.X.X.X key 7 ***********
ip tacacs source-interface Vlan10
aaa authentication login default group ISE-SRV local
aaa authentication enable default group ISE-SRV enable
aaa authorization console
aaa authorization commands 0 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 1 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 15 AUTHORIZE group ISE-SRV if-authenticated
aaa accounting commands 0 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 1 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 15 ACCOUNTING start-stop group ISE-SRV
aaa session-id common
SW-LAB#
SW-LAB#
SW-LAB#sh run | s line
line con 0
exec-timeout 5 0
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
logging synchronous
line vty 0 4
exec-timeout 5 0
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
SW-LAB#

 

Is there a better way ? Option 2 is a better solution, however, I'd like to know the best practice on how to restrict privileged mode access to restricted users group. I'm using Cisco ISE 2.1 and users are not local but from AD.

 

AFAIK there is no way to keep users restrictions if tacacs goes down during the session and once they are in privileged mode they will have full control of the device. This is what I'm trying to achieve.

 

Cheers.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Best "Authorization" config if TACACS server is unreachable

 

Adding: "aaa authorization exec default group ISE-SRV local"

and create different tacacs (shell) profiles in ISE might be the answer. Will test it as soon as possible.

 

Cheers

2 REPLIES 2
Beginner

Re: Best "Authorization" config if TACACS server is unreachable

 

Adding: "aaa authorization exec default group ISE-SRV local"

and create different tacacs (shell) profiles in ISE might be the answer. Will test it as soon as possible.

 

Cheers

Beginner

Re: Best "Authorization" config if TACACS server is unreachable

This solved my initial question.
CreatePlease to create content
Content for Community-Ad