10-28-2021 04:59 AM
Hello,
I've recently encountered issue with command authorization on Cisco ISE.
We've got twenty Cisco access switches in our remote branch. There's a group of local admins who should be able to logon to the devices and execute the limited set of commands (all commands that start with "show" and some configuration commands). In order to meet that requirement, the rule has been created in Authorization Policy under "Device Admin Policy Sets" on Cisco ISE. All users in AD group should be able to logon to the devices and execute the commands specified in command sets. It works fine for all devices with the exception of one. AAA/TACACS configuration is the same on all devices. All devices are added to Cisco ISE. There's an issue on WS-C2960X-48LPS-L , SW version: 15.2(3)E2. All local admins are able to execute EVERY command. Furthermore, I do not see executed commands in TACACS authorization logs (Command Argument field is empty). The problem exists only on one device. Any ideas?
10-28-2021 05:04 AM
May be if you get chance uplift to new version IOS and test it.
can you show us the config on 2960 and what logs you see on ISE to understand the issue.
I do see some comments as below : (not sure is this effects you ?)
TACACS Server legacy command: Do not use the legacy tacacs-server command; this command is deprecated. If the software running on your device is Cisco IOS Release 15.2(7)E3 or later, using the legacy command can cause authentication failures. Use the tacacs server command.
10-29-2021 04:35 AM - edited 11-02-2021 03:56 AM
Hello,
I am also considering software upgrade.
Below you can see TACACS configuration:
aaa new-model
aaa group server tacacs+ xxx
aaa authentication login default local group xxx
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default local group xxx
aaa authorization commands 15 default local group xxx if-authenticated
aaa accounting update periodic 5
aaa accounting exec default start-stop group xxx
aaa accounting commands 0 default start-stop group xxx
aaa accounting commands 1 default start-stop group xxx
aaa accounting commands 15 default start-stop group xxx
aaa session-id common
I've only changed group name
The same configuration is on other devices.
I do not see anything in TACACS authentication logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide