03-05-2019 11:15 AM
I am running ISE 2.3 as a tacacs+ server. I have it working well with my Cisco devices. It is integrated with AD as an external identity source. I am using a default authentication policy that checks against AD. I also have a couple different authorization policies: one that grants shell access with full access, and one that grants shell access with only access to "show" commands. Those work great on all my Cisco devices.
My problem is that I have a bunch of Juniper firewalls. They are configured so that user "remote" has operator level privilege, and the user "remote-su" has super-user privilege. When any users authentication with ISE, they are brought in as "remote" and are only given "operator" privilege. I am looking for a way to come back to the Juniper with the user name "remote" or "remote-su". Something like this:
Case 1:
User jsmith logs in
hits ISE > he is a network admin
return "remote-su" username to Juniper
he is given super-user privilege
Case 2:
User ajones logs in
hits ISE > he is a helpdesk tech
returns "remote" username to Juniper
he is given operator privilege
I've been doing lots of reading, and haven't come up with a way to accomplish this specific task. Does anyone know of a way to do this? If there is a better way to do it that doesn't involve passing the usernames remote/remote-su back to the Juniper, I'm all ears as well. It just seemed like one possible solution. I know I can go into each Juniper and specify permissions for jsmith and ajones, but that defeats the purpose of using ISE. I want everything to be configured in AD and ISE, as far as user accounts and permissions go.
Thanks in advance.
03-09-2019 04:56 AM
03-11-2019 07:10 AM
Thank you for your reply Damien! What you're describing is exactly what I'm trying to do. However, I'm not sure exactly how to pass the "local-user-name" back to Juniper. Any help on how to do that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide