Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2988
Views
0
Helpful
10
Replies

ISE Device Administration (ACS) enable passwords integrated with Active Directory

Go to solution
Christopher Horton
Level 1
Level 1

‎06-06-2016 11:46 AM - edited ‎02-21-2020 05:50 AM

I'm working on an ISE standalone implementation and running into an issue where the enable password for a device isn't pulling properly.  I have initial login tied back to AD and I have policy conditions/results/sets all working as they need to be.  My test switch is a 2960S.  I tried configuring "aaa authentication enable default group <ISE group> enable", but the only way I could do an enabled login with that was if the user was locally configured in ISE Identity Management > Identities > Users.  Is there something I have missed that will tie enable passwords to an active directory group like I have working for initial login?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Francesco Molino

‎06-07-2016 03:10 PM

I see just an error with your aaa authentication enable default enable. You should specify the Tacacs group.

I don't have access right now to my lab with ISE.

Here is my config for switches used with ACS.

aaa authentication login TACACS-SRV group tacacs+ local
aaa authentication login Console local
aaa authentication dot1x default group radius
aaa authorization exec TACACS-SRV group tacacs+ local
aaa authorization commands 15 TACACS-SRV group tacacs+ local
aaa authorization network default group radius
aaa accounting exec TACACS-SRV start-stop group tacacs+
aaa accounting commands 15 TACACS-SRV start-stop group tacacs+

If you give me all outputs maybe we can figure out why your ISE TACACS not working with AD. I don't see any reason except a misconfiguration or another issue.

Just to go on enable mode, you don't need anymore the command aaa authentication enable default enable. This enable mode is pushed to the user if he gets privilege 15. Your issue should be on profile or policy. With authorization log, we can see if ISE is pushing the policy or not and why?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-06-2016 03:55 PM

Hi

are you provisionning privilege level on your authorization policy? Could you give an output please?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Christopher Horton
Level 1
Level 1
In response to Francesco Molino

‎06-06-2016 05:22 PM

Yes.  I was following one of the example documents and giving default and max privilege levels.  Let me know exactly what output you would like and I'll grab it for you.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Christopher Horton

‎06-06-2016 05:31 PM

The rules for devices authentication, the authorization policy and logs from ise.

eventually, ios config for aaa


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Christopher Horton
Level 1
Level 1
In response to Francesco Molino

‎06-07-2016 10:19 AM

  • authentication policy
    • Default Rule only
  • authorization policy
    • Full Network Access
      • If AD group = Super Admin Group
        • then permit all commands and shell profile
    • Read-Only Access
      • If AD group = Read Only Group
        • then permit show commands and shell profile
    • Default
      • Deny all

For the commands and profile:

  • permit all commands
    • allows all CLI commands
  • permit show commands
    • allows only "show" CLI commands
  • shell profile
    • default priv = 15
    • max priv = 15

Current working aaa configs:

  • aaa new-model
  • aaa group server tacacs+ ISE_ACS
  • aaa authentication login default local
  • aaa authentication login ACS_Secure group ISE_ACS local
  • aaa authentication enable default enable
  • aaa authorization config-commands
  • aaa authorization exec ACS_Secure group ISE_ACS local if-authenticated
  • aaa authorization commands 15 ACS_Secure group ISE_ACS local if-authenticated
  • aaa accounting exec default start-stop group ISE_ACS
  • aaa accounting network default start-stop group ISE_ACS
  • aaa session-id common

The aaa authentication enable configuration is what I have been playing around with.  When I set that to get the enable login from ISE, that is when it looks for a local user account within the ISE system.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Christopher Horton

‎06-07-2016 12:13 PM

Could you add logs from authenticated users?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Christopher Horton
Level 1
Level 1
In response to Francesco Molino

‎06-07-2016 12:25 PM

Attached is a successful user authentication log.  Please let me know if this is not what you were looking for.

Preview file
21 KB
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Christopher Horton

‎06-07-2016 01:28 PM

I don't see the authorization profile that ISE is pushing on your word document. 

Could you make another screenshot of logging please?

I'm not able to access my lab. As soon as I'm getting access, I will try to send out some screenshots of configuration. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Francesco Molino

‎06-07-2016 03:10 PM

I see just an error with your aaa authentication enable default enable. You should specify the Tacacs group.

I don't have access right now to my lab with ISE.

Here is my config for switches used with ACS.

aaa authentication login TACACS-SRV group tacacs+ local
aaa authentication login Console local
aaa authentication dot1x default group radius
aaa authorization exec TACACS-SRV group tacacs+ local
aaa authorization commands 15 TACACS-SRV group tacacs+ local
aaa authorization network default group radius
aaa accounting exec TACACS-SRV start-stop group tacacs+
aaa accounting commands 15 TACACS-SRV start-stop group tacacs+

If you give me all outputs maybe we can figure out why your ISE TACACS not working with AD. I don't see any reason except a misconfiguration or another issue.

Just to go on enable mode, you don't need anymore the command aaa authentication enable default enable. This enable mode is pushed to the user if he gets privilege 15. Your issue should be on profile or policy. With authorization log, we can see if ISE is pushing the policy or not and why?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Christopher Horton
Level 1
Level 1
In response to Francesco Molino

‎06-09-2016 07:02 AM

So I've been trying to recreate the issue I had initially, but when I went back and added in "aaa authentication enable default group <ACS_Group> enable" it is working now.  I haven't been able to determine what was done differently between this attempt and my previous that was unsuccessful, but I do appreciate all the help!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Christopher Horton

‎06-09-2016 07:06 AM

Cool. I'm happy that we solved your issue.

Have a good day


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card