06-02-2018 06:53 AM
Hi
The version of ISE 2.3.0.298 that I am using. I have two policy first one is ASDM-Policy so when we use port 443 we want that policy and the second policy is ASA-Policy this is for SSH that will use port 22.
The ASDM-Policy worked except the authentication policy it uses some random ports example is 59502592 and second for authorization it uses port 0. Does anyone had similar issues? Thanks
Solved! Go to Solution.
06-02-2018 09:51 AM
In the how-to guide, I am using two policy sets:
It's this way because only the ADSM authorization needs special treatment or at least in my logics. The authentications for both SSH and ASDM and the authorization for SSH may share the same policy set.
If you need to make other exceptions by creating another policy set, then it has to be above the Catch-All one. Please use the T+ live logs and authentication details report to troubleshoot.
06-02-2018 08:06 AM
Yes, I've seen the same. That is one reason why the ASDM policy set is for T+ Authorization only in How To: ISE TACACS+ Configuration for ASA Network Devices. If you need it differ from SSH, you might consider a catch-all policy set.
06-02-2018 08:46 AM
I would like to use different command sets and different shell profile for asdm and ssh. I am using internal and AD for authentication. I have tried different policy combination that policy asdm will use this command sets and profile if using 443 ports. And if using port 22 use different command sets and shell profile.
06-02-2018 09:01 AM
Granting command sets and shell profiles are part of T+ authorization so you should be all set.
06-02-2018 09:22 AM
I followed that steps. When the asdm policy cathed, applied authorization for asdm command sets. When that takes placed, the authorization for ssh does not get apply.
06-02-2018 09:51 AM
In the how-to guide, I am using two policy sets:
It's this way because only the ADSM authorization needs special treatment or at least in my logics. The authentications for both SSH and ASDM and the authorization for SSH may share the same policy set.
If you need to make other exceptions by creating another policy set, then it has to be above the Catch-All one. Please use the T+ live logs and authentication details report to troubleshoot.
06-02-2018 07:06 PM
I got it all figured out. The default policy does share it asdm policy for authentication. It is sourcing with random ports when it does it uses the default policy auth then sourcing with 443 then that uses authorization for asdm.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: