Solved: ISE Tacacs integration to AD, working for some users

Kasper Elsborg · ‎07-31-2022

Hi Community.

I have recent installed an ISE 3.1 in my lab. integrated Tacacs with my switches. I've got everything working with 3 users. Two admins "kasper" and "kasperadmin" and one "demouser". they are located in my AD

Configured lvl 15 and lvl 1 authorization for the admins and demouser.

So playing around with ISE, I've enabled

ISE gui- ad authentication, and it working for both admins.
Run the wizard for "Visability setup"

now only one admin is working. the two others get authenticated, but fails to authorize when loggin on the switches.

someone have an idea where to look?

Br. Kasper

Kasper Elsborg · ‎07-31-2022

seems like the problem was solved by removing this line

aaa authorization exec default local

rest of the aaa config looks like this

CoreSw#sh run | s aaa|line|tacacs
aaa new-model
aaa group server tacacs+ ISE
 server name ISE31
 server name ISE27
aaa authentication login default local
aaa authentication login ISE-T group ISE local
aaa authentication login console local
aaa authentication enable default group ISE enable
aaa authorization console
aaa authorization network default local
aaa authorization config-commands
aaa authorization exec ISE-T group ISE local if-authenticated 
aaa authorization commands 1 ISE-T group ISE local if-authenticated 
aaa authorization commands 15 ISE-T group ISE local if-authenticated 
aaa accounting exec default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa session-id common
 power inline never
tacacs server ISE27
 address ipv4 192.168.3.126
 key cisco123
tacacs server ISE31
 address ipv4 192.168.3.120
 key cisco123
line con 0
 login authentication console
line vty 0 4
authorization exec ISE-T
authorization commands 1 ISE-T 
authorization commands 15 ISE-T
 access-class 101 in
 login authentication ISE-T
 transport input ssh
line vty 5 15
authorization commands 1 ISE-T 
authorization commands 15 ISE-T
authorization exec ISE-T
 access-class 101 in
 login authentication ISE-T
 transport input ssh
CoreSw#

Br. Kasper

View solution in original post

Kasper Elsborg · ‎07-31-2022

I did some more investigation. I have two ISE's both standalone, so i change the sw config to point to the other ISE, and same problem.

There must be some config, that the wizard for "Visability setup" did on the switches, so I deleted all aaa configs, and started over again. I can now logon this sw with all 3 accounts from AD.

I haven't found out excatly which command was the problem.

Br. Kasper

Kasper Elsborg · ‎07-31-2022

seems like the problem was solved by removing this line

aaa authorization exec default local

rest of the aaa config looks like this

CoreSw#sh run | s aaa|line|tacacs
aaa new-model
aaa group server tacacs+ ISE
 server name ISE31
 server name ISE27
aaa authentication login default local
aaa authentication login ISE-T group ISE local
aaa authentication login console local
aaa authentication enable default group ISE enable
aaa authorization console
aaa authorization network default local
aaa authorization config-commands
aaa authorization exec ISE-T group ISE local if-authenticated 
aaa authorization commands 1 ISE-T group ISE local if-authenticated 
aaa authorization commands 15 ISE-T group ISE local if-authenticated 
aaa accounting exec default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa session-id common
 power inline never
tacacs server ISE27
 address ipv4 192.168.3.126
 key cisco123
tacacs server ISE31
 address ipv4 192.168.3.120
 key cisco123
line con 0
 login authentication console
line vty 0 4
authorization exec ISE-T
authorization commands 1 ISE-T 
authorization commands 15 ISE-T
 access-class 101 in
 login authentication ISE-T
 transport input ssh
line vty 5 15
authorization commands 1 ISE-T 
authorization commands 15 ISE-T
authorization exec ISE-T
 access-class 101 in
 login authentication ISE-T
 transport input ssh
CoreSw#

Br. Kasper

Kasper Elsborg · ‎07-31-2022

A side note, in case you were interested.

the account "Kasper" was also locally configured with lvl 15. that's why this user was able to authorize with the "aaa authorization exec default local" config, and not the others.