cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2163
Views
1
Helpful
4
Replies

AAA issues for ISE tacacs server

xili5
Cisco Employee
Cisco Employee

Hi experts,

I worked on ISE2.2 tacacs configuration for customer and have two issues below.

1. I assign "network-operator" role to specific AD group users by TACACS profiles. The user is assigned "network-operator" role successfully when login to nexus device, but still can execute all commands. When I disconnected TACACS server, user is authenticated and authorized locally and network-operator user has read-only permission correctly. Below is configuration.

aaa authentication login default group ise

aaa authentication login console group ise none

aaa authorization config-commands default group ise local

aaa authorization commands default group ise local

aaa accounting default group ise

2. "aaa authorization exec authentication-server auto-enable" is used for ASA AAA configuration. User through ssh session can enter exec mode(#) directly when assigned privilege 15 to this user. But the same user through console session only enter user mode(>).Below is configuration.

aaa authentication ssh console ise LOCAL

aaa authentication serial console ise LOCAL

aaa authentication enable console ise LOCAL

aaa authorization command ise LOCAL

aaa accounting command ise

aaa authorization exec authentication-server auto-enable


I am not sure if I miss something for those two issues.


br,

Martin


1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

T+ command authorization is optional for both types of devices.

For NX-OS, if you want to use the user roles only, then remove the two lines "aaa authorization config-commands ..." and "aaa authorization commands ...". If you want ISE to perform T+ command authorization, then create the command sets and add them to the T+ authorization policy rules.

Similar applied to ASA CLI. If you want "local", then use "aaa authorization command LOCAL" (with ise in it).

As to your point #2, the "EXEC Authorization" (aka the aut-enable option) in ASA is for SSH/Telnet (TTY/VTY) accesses only. That is why console login does not go directly to EXEC.

View solution in original post

4 Replies 4

Nidhi
Cisco Employee
Cisco Employee

you might want to follow this link - How To: ISE TACACS+ Configuration for ASA Network Devices.

Let me know if this helps.

Thanks,

Nidhi

xili5
Cisco Employee
Cisco Employee

Hi Nidhi,

Thank you for your document. But it does not resolve my two issues. Yesterday I tried again on Nexus 3K and 1000v for my first issue, ASA5585 and ASAv for my second issue, the result is the same.

hslai
Cisco Employee
Cisco Employee

T+ command authorization is optional for both types of devices.

For NX-OS, if you want to use the user roles only, then remove the two lines "aaa authorization config-commands ..." and "aaa authorization commands ...". If you want ISE to perform T+ command authorization, then create the command sets and add them to the T+ authorization policy rules.

Similar applied to ASA CLI. If you want "local", then use "aaa authorization command LOCAL" (with ise in it).

As to your point #2, the "EXEC Authorization" (aka the aut-enable option) in ASA is for SSH/Telnet (TTY/VTY) accesses only. That is why console login does not go directly to EXEC.

xili5
Cisco Employee
Cisco Employee

Hi Lai,

Thank you for clarification.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: