Adding: "aaa authorization exec default group ISE-SRV local" and create different tacacs (shell) profiles in ISE might be the answer. Will test it as soon as possible. Cheers
... View more
Hi All, I'm implementing Cisco ISE for Tacacs and I'm having some trouble with authorization config for vty and console lines. Below are the 2 options I've done and I need some advise. OPTION1 - Goes straight into privileged mode. The downside is that a user with restricted privilege (<15) will have full level 15 permissions if tacacs becomes unreachable, because he is already in privileged mode. SW-LAB#sh run | s aaa aaa new-model aaa group server tacacs+ ISE-SRV server-private 10.X.X.X key 7 *********** server-private 10.X.X.X key 7 *********** ip tacacs source-interface Vlan10 aaa authentication login default group ISE-SRV local aaa authorization console aaa authorization commands 0 AUTHORIZE group ISE-SRV if-authenticated aaa authorization commands 1 AUTHORIZE group ISE-SRV if-authenticated aaa authorization commands 15 AUTHORIZE group ISE-SRV if-authenticated aaa accounting commands 0 ACCOUNTING start-stop group ISE-SRV aaa accounting commands 1 ACCOUNTING start-stop group ISE-SRV aaa accounting commands 15 ACCOUNTING start-stop group ISE-SRV aaa session-id common SW-LAB# SW-LAB# SW-LAB#sh run | s line line con 0 exec-timeout 5 0 privilege level 15 authorization commands 1 AUTHORIZE authorization commands 15 AUTHORIZE accounting commands 1 ACCOUNTING accounting commands 15 ACCOUNTING logging synchronous line vty 0 4 privilege level 15 exec-timeout 5 0 authorization commands 1 AUTHORIZE authorization commands 15 AUTHORIZE accounting commands 1 ACCOUNTING accounting commands 15 ACCOUNTING SW-LAB# OPTION2 - This solves the issue above because the users don't go straight into privileged mode and if tacacs becomes unreachable it will request a local enable password. Also It will not affect users with higher privileges as they were already in privileged mode. SW-LAB#sh run | s aaa aaa new-model aaa group server tacacs+ ISE-SRV server-private 10.X.X.X key 7 *********** server-private 10.X.X.X key 7 *********** ip tacacs source-interface Vlan10 aaa authentication login default group ISE-SRV local aaa authentication enable default group ISE-SRV enable aaa authorization console aaa authorization commands 0 AUTHORIZE group ISE-SRV if-authenticated aaa authorization commands 1 AUTHORIZE group ISE-SRV if-authenticated aaa authorization commands 15 AUTHORIZE group ISE-SRV if-authenticated aaa accounting commands 0 ACCOUNTING start-stop group ISE-SRV aaa accounting commands 1 ACCOUNTING start-stop group ISE-SRV aaa accounting commands 15 ACCOUNTING start-stop group ISE-SRV aaa session-id common SW-LAB# SW-LAB# SW-LAB#sh run | s line line con 0 exec-timeout 5 0 authorization commands 1 AUTHORIZE authorization commands 15 AUTHORIZE accounting commands 1 ACCOUNTING accounting commands 15 ACCOUNTING logging synchronous line vty 0 4 exec-timeout 5 0 authorization commands 1 AUTHORIZE authorization commands 15 AUTHORIZE accounting commands 1 ACCOUNTING accounting commands 15 ACCOUNTING SW-LAB# Is there a better way ? Option 2 is a better solution, however, I'd like to know the best practice on how to restrict privileged mode access to restricted users group. I'm using Cisco ISE 2.1 and users are not local but from AD. AFAIK there is no way to keep users restrictions if tacacs goes down during the session and once they are in privileged mode they will have full control of the device. This is what I'm trying to achieve. Cheers.
... View more
.jpg "Hall of Fame Cisco Employee"){kind=icon}
