cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1388
Views
15
Helpful
8
Replies

AD Groups in ISE 2.1.0.474 PL1 TACACS+ Policy Sets?

Toivo Voll
Level 1
Level 1

We're trying to use AD group membership as part of authentication rules for the TACACS+ policy sets. However, while we can write such a rule (<our AD>:ExternalGroups EQUALS <AD group>), it immediately replaces the AD group name with the SID, and the rule just doesn't work.

We can cue off username, device type, location etc. but not the AD group membership. This works fine in the authorization section of the same policy set.

Interestingly, we also don't seem to be able to refer to internal account identity group memberships in the authentication rules for TACACS+.

Is this supposed to work and I'm just missing something obvious? Are there any documented limitations that I missed?

8 Replies 8

Gagandeep Singh
Cisco Employee
Cisco Employee

The authentication rule doesn't have AD group option to use. However you can use identity store for internal or AD.

It works like this only. Still if you have any concerns. Please let me know.

Regards

Gagan

ps : rate if it helps!!!

That's not entirely how our install behaves. When you build an authentication rule, and you just browse the available options, AD isn't there. But if instead you type in "External" in the search box, the options appear and are selectable and even correctly offer the values in the rule creation -- but the rule won't work right.


And as mentioned, internal group memberships don't appear work either. I'm failing to understand how you can write a real policy without some kind of group membership option.

Aundre Dudley
Level 1
Level 1

Can you post a screen shot of your Authentication and Authorization rules?

Here's a pared down example of an auth rule that doesn't work.

The authorization rule is actually a compound condition that basically has the same rule as the authentication policy. I can go and write it out.

It doesn't matter whether you put the rule in a compound condition and use that for authentication or authorization, or write the rule in the policy set. Auth never works, authz always works.

(Initially we wrote the rules as compound conditions to make it cleaner.)

Toivo Voll
Level 1
Level 1

Update from our related TAC case: ISE cannot use any parameters such as group memberships, internal or external, during the authentication phase. You can only use group memberships during authorization.

This is of course really bad, since it means we can't prevent a valid AD or internal credential needed for RADIUS from also logging into a switch based on group membership, so we'll be pursuing an enhancement request with our account team. We don't want to have to list individual IDs to control access in authentication policy.

Hey Toivo,

You actually only want to specify AD groups in your authorization policy and not your authentication policy. The authentication policy is really only used to specify the authentication protocols you want to allow and the user database you want to use. For device admin, these settings are not as important as it would be in a NAC deployment and I typically only use the default rule. I would delete the AD Group authentication rule that you created and use the default rule. Of course, change the user database from denyaccess to the identity sequence that you configured. From there, make sure that you have both your AD and internal user database selected in your TACACS+ identity sequence and your configuration should work.

Yes you are correct in this. You can restrict them from doing anything after they login, but they will be able to initially login with their credentials. 

I appreciate the reply.

Yeah, and that's not really OK with either me nor our InfoSec group. The only workaround I've found is to craft an auth rule that individually lists allowed usernames, but that's neither scalable, nor sufficiently automatic for things like personnel changes (hires, fires) in AD. I thought I was missing something obvious, but apparently ISE just doesn't have the capability currently.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: