Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ISE 2.1 Device Admin Authentication Policy (Tacacs)

Martin Jelinek
Level 1
Level 1

‎02-10-2017 12:16 AM - edited ‎03-11-2019 12:26 AM

Hi all,

I'm working on migration of ACS (tacacs) to ISE 2.1 (latest release with available patches). As opportunity doing a lot of cleanups therefore ACS Migration utility is not an option I'm using. Configuration is being done from scratch.

What I struggle with is actual fact to restrict access to Network devices (switches, routers, firewalls, wireless bridges, access-points,...) to only certain users based on AD group membership.

I have no troubles with Authorization policies where everything works as expected and no issue in there.

What I do struggle with is fact that AUTHENTICATION policy is really useless and not granular.

- with current setup it looks (confirmed) that all users from all groups we have discovered from Active Directory can actually login to network devices with success because authentication policy cannot be restricted to specific AD group. Of course once such user wants to do something then Authorization is in place and basically he cannot do anything.

How I can restrict authentication to prevent ALL users from successful authentication (Device Admin == Tacacs part)??

Is this even possible?

I tried to configure Authentication Compound Condition to list ALL AD groups with "OR" statement to make sure only valid AD groups for Tacacs can login, however testing shows that this is NOT being accepted and only Default option is performed by policy for a user. Such compound condition I used in Authentication policy.

Is this a bug/feature of ISE2.1 that Authentication cannot be used in this way?

Or how you guys are using authentication policy under Device Admin (Tacacs) part? Maybe there is a different way I have not considered to use, maybe just need to be kicked to change my mind and do it in a different way.

So far looks stupid that anyone can basically authentication because ISE is used as well as Radius server to authentication users for wireless connection and therefore AD group with all users is discovered to ISE therefore all can authenticate successfully. :-/

Am I missing anything?

Thanks for any hints!!!

2 people had this problem
Labels:
Preview file
8 KB
0 Helpful
Who Me Too'd this topic