Solved: Re: ISE Device Administration (TACACS+)

h.infotronique1 · ‎07-17-2019

Hello,

i have create some commands profile to limits my helpdesk users but it didn't work :

i want to give him access and manipulate all interfaces of my cisco switch and deny him access to the interface g1/2.

here is the command i do on ise TACACS Command Sets :

DENY_ALWAYS interface Gi1/2

is that possible

Thanks

Marvin Rhoads · ‎07-18-2019

I saw similar results but I don't fully understand why.

Then I found a tip in a very old thread. https://ieoc.com/discussion/4666/aaa-authorization-commands

It tells us we need to add the line "aaa authorization config-commands". I did that and voila!

ccielab-3560cx(config)#aaa authorization config-commands 
ccielab-3560cx(config)#end
ccielab-3560cx#wr mem
Building configuration...
[OK]
ccielab-3560cx#exit
Connection closing...Socket close.

Connection closed by foreign host.

Disconnected from remote host(172.31.1.4:22) at 20:42:57.

Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh marvin-ltd@172.31.1.4


Connecting to 172.31.1.4:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

ccielab-3560cx#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ccielab-3560cx(config)#int gi0/2
Command authorization failed.

ccielab-3560cx(config)#int gi0/3
ccielab-3560cx(config-if)#

My command set that is allowed in the Authorization rule looks like this:

Here is my Authorization policy:

View solution in original post

Marvin Rhoads · ‎07-17-2019

I tried recreating your problem and encounter the same error.

I created a limited access user and confirmed they get assigned that authorization result. My command set says to deny all where command is interface and parameter is GigabitEthernet 0/2. I tried several variations of the parameter but they all continue to mistakenly allow the command.

I looked at this example for reference:

https://community.cisco.com/t5/security-documents/ise-2-3-tacacs-command-sets-import-and-export/ta-p/3635973

..using the bits in table under "iosSecCmds Command set".

h.infotronique1 · ‎07-18-2019

Hi Marvin,

thak you for your reply,

on the switch i activate the debug of aaa authentication and authorisation to see what happen and i have this when i type for exemple shutdown and no shutdown :

6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV service=shell
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd=no
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd-arg=shutdown
6d23h: AAA/AUTHOR/TAC+: (1016080000): send AV cmd-arg=<cr>
6d23h: TAC+: (1016080000): received author response status = PASS_ADD

But when i i tape the command interface Gigaethernet 1/2 , there is no line of debug authentication or authorisation;

is that ordinaire behavior or not ?

thanks.

Marvin Rhoads · ‎07-18-2019

I saw similar results but I don't fully understand why.

Then I found a tip in a very old thread. https://ieoc.com/discussion/4666/aaa-authorization-commands

It tells us we need to add the line "aaa authorization config-commands". I did that and voila!

ccielab-3560cx(config)#aaa authorization config-commands 
ccielab-3560cx(config)#end
ccielab-3560cx#wr mem
Building configuration...
[OK]
ccielab-3560cx#exit
Connection closing...Socket close.

Connection closed by foreign host.

Disconnected from remote host(172.31.1.4:22) at 20:42:57.

Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh marvin-ltd@172.31.1.4


Connecting to 172.31.1.4:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

ccielab-3560cx#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ccielab-3560cx(config)#int gi0/2
Command authorization failed.

ccielab-3560cx(config)#int gi0/3
ccielab-3560cx(config-if)#

My command set that is allowed in the Authorization rule looks like this:

Here is my Authorization policy:

h.infotronique1 · ‎07-21-2019

Hi Marvin,

I thank you very match that was very helpfull, it was that command missed on my configuration and now it work fine.

just for the rule on ISE, for me i did Deny alwys interface Gigabitethernet 1/2 not Gigabitethernet 1 2 like you did!!?

thank you again.

Marvin Rhoads · ‎07-21-2019

OK - you're welcome. It was a fun one to troubleshoot.

I used the "0 2" syntax in my case since when I was troubleshooting using packet capture I saw the authorization request come through following that convention. I think perhaps the system parses out the "/" character so you can enter it with or without that and get the same result.