Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1718
Views
0
Helpful
2
Replies

Best "Authorization" config if TACACS server is unreachable

Go to solution
nrlourenco
Level 1
Level 1

‎04-09-2019 11:13 PM - edited ‎04-09-2019 11:21 PM

Hi All,

 

I'm implementing Cisco ISE for Tacacs and I'm having some trouble with authorization config for vty and console lines. Below are the 2 options I've done and I need some advise.

 

OPTION1 - Goes straight into privileged mode. The downside is that a user with restricted privilege (<15) will have full level 15 permissions if tacacs becomes unreachable, because he is already in privileged mode.


SW-LAB#sh run | s aaa
aaa new-model
aaa group server tacacs+ ISE-SRV
server-private 10.X.X.X key 7 ***********
server-private 10.X.X.X key 7 ***********
ip tacacs source-interface Vlan10
aaa authentication login default group ISE-SRV local
aaa authorization console
aaa authorization commands 0 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 1 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 15 AUTHORIZE group ISE-SRV if-authenticated
aaa accounting commands 0 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 1 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 15 ACCOUNTING start-stop group ISE-SRV
aaa session-id common
SW-LAB#
SW-LAB#
SW-LAB#sh run | s line
line con 0
exec-timeout 5 0
privilege level 15
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
logging synchronous
line vty 0 4
privilege level 15
exec-timeout 5 0
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
SW-LAB#


OPTION2 - This solves the issue above because the users don't go straight into privileged mode and if tacacs becomes unreachable it will request a local enable password. Also It will not affect users with higher privileges as they were already in privileged mode.

 

SW-LAB#sh run | s aaa
aaa new-model
aaa group server tacacs+ ISE-SRV
server-private 10.X.X.X key 7 ***********
server-private 10.X.X.X key 7 ***********
ip tacacs source-interface Vlan10
aaa authentication login default group ISE-SRV local
aaa authentication enable default group ISE-SRV enable
aaa authorization console
aaa authorization commands 0 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 1 AUTHORIZE group ISE-SRV if-authenticated
aaa authorization commands 15 AUTHORIZE group ISE-SRV if-authenticated
aaa accounting commands 0 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 1 ACCOUNTING start-stop group ISE-SRV
aaa accounting commands 15 ACCOUNTING start-stop group ISE-SRV
aaa session-id common
SW-LAB#
SW-LAB#
SW-LAB#sh run | s line
line con 0
exec-timeout 5 0
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
logging synchronous
line vty 0 4
exec-timeout 5 0
authorization commands 1 AUTHORIZE
authorization commands 15 AUTHORIZE
accounting commands 1 ACCOUNTING
accounting commands 15 ACCOUNTING
SW-LAB#

 

Is there a better way ? Option 2 is a better solution, however, I'd like to know the best practice on how to restrict privileged mode access to restricted users group. I'm using Cisco ISE 2.1 and users are not local but from AD.

 

AFAIK there is no way to keep users restrictions if tacacs goes down during the session and once they are in privileged mode they will have full control of the device. This is what I'm trying to achieve.

 

Cheers.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nrlourenco
Level 1
Level 1

‎04-10-2019 03:04 AM - edited ‎04-10-2019 03:05 AM

 

Adding: "aaa authorization exec default group ISE-SRV local"

and create different tacacs (shell) profiles in ISE might be the answer. Will test it as soon as possible.

 

Cheers

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nrlourenco
Level 1
Level 1

‎04-10-2019 03:04 AM - edited ‎04-10-2019 03:05 AM

 

Adding: "aaa authorization exec default group ISE-SRV local"

and create different tacacs (shell) profiles in ISE might be the answer. Will test it as soon as possible.

 

Cheers

0 Helpful

Go to solution
nrlourenco
Level 1
Level 1
In response to nrlourenco

‎04-15-2019 12:15 AM

This solved my initial question.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents