Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
910
Views
0
Helpful
6
Replies

Device Policy Sets - tacacs ports 443 and 22

Go to solution
creserva1
Level 1
Level 1

‎06-02-2018 06:53 AM

Hi

The version of ISE 2.3.0.298 that I am using. I have two policy first one is ASDM-Policy so when we use port 443 we want that policy and the second policy is ASA-Policy this is for SSH that will use port 22.

The ASDM-Policy worked except the authentication policy it uses some random ports example is 59502592 and second for authorization it uses port 0. Does anyone had similar issues? Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to creserva1

‎06-02-2018 09:51 AM

In the how-to guide, I am using two policy sets:

  1. ASDM Authz
    • Conditions (AND together):
      • DEVICE:Device Type EQUALS Device#All Device Types#ASA
      • TACACS:Type EQUALS Authorization
      • TACACS:Port EQUALS 443
  2. ASA Regular (Catch All)
    • Condition:
      • DEVICE:Device Type EQUALS Device#All Device Types#ASA

It's this way because only the ADSM authorization needs special treatment or at least in my logics. The authentications for both SSH and ASDM and the authorization for SSH may share the same policy set.

If you need to make other exceptions by creating another policy set, then it has to be above the Catch-All one. Please use the T+ live logs and authentication details report to troubleshoot.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-02-2018 08:06 AM

Yes, I've seen the same. That is one reason why the ASDM policy set is for T+ Authorization only in How To: ISE TACACS+ Configuration for ASA Network Devices. If you need it differ from SSH, you might consider a catch-all policy set.

0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to hslai

‎06-02-2018 08:46 AM

I would like to use different command sets and different shell profile for asdm and ssh. I am using internal and AD for authentication. I have tried different policy combination that policy asdm will use this command sets and profile if using 443 ports. And if using port 22 use different command sets and shell profile.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to creserva1

‎06-02-2018 09:01 AM

Granting command sets and shell profiles are part of T+ authorization so you should be all set.

0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to hslai

‎06-02-2018 09:22 AM

I followed that steps. When the asdm policy cathed, applied authorization for asdm command sets. When that takes placed, the authorization for ssh does not get apply.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to creserva1

‎06-02-2018 09:51 AM

In the how-to guide, I am using two policy sets:

  1. ASDM Authz
    • Conditions (AND together):
      • DEVICE:Device Type EQUALS Device#All Device Types#ASA
      • TACACS:Type EQUALS Authorization
      • TACACS:Port EQUALS 443
  2. ASA Regular (Catch All)
    • Condition:
      • DEVICE:Device Type EQUALS Device#All Device Types#ASA

It's this way because only the ADSM authorization needs special treatment or at least in my logics. The authentications for both SSH and ASDM and the authorization for SSH may share the same policy set.

If you need to make other exceptions by creating another policy set, then it has to be above the Catch-All one. Please use the T+ live logs and authentication details report to troubleshoot.

0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to hslai

‎06-02-2018 07:06 PM

I got it all figured out. The default policy does share it asdm policy for authentication. It is sourcing with random ports when it does it uses the default policy auth then sourcing with 443 then that uses authorization for asdm.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents