Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
0
Helpful
2
Replies

Cisco ISE - command authorization issue

lnw-team
Level 1
Level 1

‎10-28-2021 04:59 AM

Hello,

 

I've recently encountered issue with command authorization on Cisco ISE.

We've got twenty Cisco access switches in our remote branch. There's a group of local admins who should be able to logon to the devices and execute the limited set of commands (all commands that start with "show" and some configuration commands). In order to meet that requirement, the rule has been created in Authorization Policy under "Device Admin Policy Sets" on Cisco ISE. All users in AD group should be able to logon to the devices and execute the commands specified in command sets. It works fine for all devices with the exception of one. AAA/TACACS configuration is the same on all devices. All devices are added to Cisco ISE. There's an issue on WS-C2960X-48LPS-L , SW version: 15.2(3)E2. All local admins are able to execute EVERY command. Furthermore, I do not see executed commands in TACACS authorization logs (Command Argument field is empty). The problem exists only on one device. Any ideas? 

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎10-28-2021 05:04 AM

May be if you get chance uplift to new version IOS and test it.

 

can you show us the config on 2960 and what logs you see on ISE to understand the issue.

 

I do see some comments as below : (not sure is this effects you ?)

 

TACACS Server legacy command: Do not use the legacy tacacs-server command; this command is deprecated. If the software running on your device is Cisco IOS Release 15.2(7)E3 or later, using the legacy command can cause authentication failures. Use the tacacs server command.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

lnw-team
Level 1
Level 1
In response to balaji.bandi

‎10-29-2021 04:35 AM - edited ‎11-02-2021 03:56 AM

Hello, 

 

I am also considering software upgrade.

 

Below you can see TACACS configuration:

 

aaa new-model
aaa group server tacacs+ xxx
aaa authentication login default local group xxx
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default local group xxx
aaa authorization commands 15 default local group xxx if-authenticated
aaa accounting update periodic 5
aaa accounting exec default start-stop group xxx
aaa accounting commands 0 default start-stop group xxx
aaa accounting commands 1 default start-stop group xxx
aaa accounting commands 15 default start-stop group xxx
aaa session-id common

 

I've only changed group name

 

The same configuration is on other devices.

 

I do not see anything in TACACS authentication logs.

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card