Solved: tacacs policy enforcement failing with ise 2.3

Lawrence Magama · ‎05-04-2018

Failing to implement proper privileges for ISE Tacacs policy sets for network device logins. Usernames login successfully put with no administered privileges.

used the below links as configuration guide

https://communities.cisco.com/servlet/JiveServlet/previewBody/68194-102-1-125121/How-To_TACACS_for_IOS.pdf

How To: ISE TACACS+ Configuration for IOS Network Devices

https://supportforums.cisco.com/t5/aaa-identity-and-nac/ise-2-3-ad-groups-not-shown-in-policy-sets/td-p/3220468

the error received when logging with a user from AD: %Authorizatiob failed.

And these are tacacs configs on the router:

aaa new-model

!

aaa group server tacacs+ test

server 10.170.8.61

!

aaa authentication login default group tacacs+ local none

aaa authentication login TELNET_ACCESS local

aaa authentication login CON none

aaa authentication login vty group test local

aaa authentication enable default group FBCBKDCISE01 enable none

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec CON none

aaa authorization exec VTY group test local if-authenticated

aaa authorization exec ISE group FBCBKDCISE01 local none

aaa authorization commands 0 default group tacacs+ local none

aaa authorization commands 1 default group tacacs+ local none

aaa authorization commands 1 VTY group test local if-authenticated

aaa authorization commands 7 default group tacacs+ local none

aaa authorization commands 15 default group tacacs+ local none

aaa authorization commands 15 VTY group test local if-authenticated

aaa authorization network default group tacacs+ if-authenticated

aaa accounting exec default

action-type start-stop

group tacacs+

!

aaa accounting commands 0 default

action-type start-stop

group tacacs+

!

aaa accounting commands 1 default

action-type start-stop

group tacacs+

!

aaa accounting commands 7 default

action-type start-stop

group tacacs+

!

aaa accounting commands 15 default

action-type start-stop

group tacacs+

!

aaa accounting network default

action-type start-stop

group tacacs+

line vty 0 4

exec-timeout 5 0

privilege level 15

password 7 0227005602085E731F

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec ISE

logging synchronous

transport preferred ssh

transport input telnet ssh

line vty 5 15

password 7 0227005602085E731F

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec ISE

logging synchronous

transport preferred ssh

transport input telnet ssh

!

Lawrence Magama · ‎05-08-2018

Thank you all for your responses, i managed to get it working. My configuration was missing two important parts.

1. On The ISE side, i was failing to associate the Group from my AD to a particular rule-set, the fix was: when you create conditions, use the Attribute drop down and chose required attribute which is the AD group.

2. on the Device side, there was a missing Tacacs+ key

these fixed my problem, the GUI interface o 2.3 has changed drastically, hence the slight confusion.

Thank you

View solution in original post

ognyan.totev · ‎05-04-2018

Give us some screen from ise side what policy sets you configured and profiles too

Lawrence Magama · ‎05-04-2018

below is a screenshot of the the two policy sets i created. they are attributed to an External AD.

and the screenshot of the single profile i created of default privilege 15

ognyan.totev · ‎05-04-2018

What is authentication rule for this profiles ?? If the not hit authentication rule they wont go to authorization.i will show you mine

Every time mine is hitted there are be many option only switch only routers end etc but in mine case i am network admin and i want to hit protocol tacacs no matter what is the device.

Lawrence Magama · ‎05-04-2018

thank you for getting back to me so quickly.

my earlier screenshot was not complete, but find a more detailed one:

my users from my AD are able to login into the Router but cannot execute any command even though there is a commnd set that should allow them to.

ognyan.totev · ‎05-04-2018

Yes thats why i show you how to create 1 to match protocol like tacacs+ and as i saw there are no even 1 hit in you device admin policy sets

hslai · ‎05-05-2018

Please take a look at the T+ live logs in your ISE deployment and check which authorization policy rules are matched.

aaa authentication login vty group test local

If the above is exactly what's on your router, I would suggest to change "vty" to "VTY".

aaa authentication enable default group FBCBKDCISE01 enable none

...

aaa authorization exec ISE group FBCBKDCISE01 local none

This looks odd that enable authentication and exec authorization using a different group from "test".

Lawrence Magama · ‎05-08-2018

Thank you all for your responses, i managed to get it working. My configuration was missing two important parts.

1. On The ISE side, i was failing to associate the Group from my AD to a particular rule-set, the fix was: when you create conditions, use the Attribute drop down and chose required attribute which is the AD group.

2. on the Device side, there was a missing Tacacs+ key

these fixed my problem, the GUI interface o 2.3 has changed drastically, hence the slight confusion.

Thank you