Solved: Re: CiscoISE policy applying on switch problem - Page 2

mitros · ‎04-22-2024

Hello,

I have a problem with applying policies from CiscoISE 3.2 on switch C3750. It simply doesn't stop the unauthenticated users from logging in to switch, nor it prevent commands that are forbidden by the created policy.

In Live Logs I can see that CiscoISE recognizes not allowed attempt, it gives a red status and describes that authentication (or authorization) failed, but I can still do whatever I want on the switch.

As You can see, it throws "Command failed to match a Permit rule" but switch execute it anyway. Same with "INVALID" identity, it fails to authenticate, but the switch let it log in successfully...

Could You please give me advice what could be misconfigured when it acts like this.

TIA

Aref Alsouqi · ‎04-23-2024

Thanks for that. The "INVALID" users in the logs can be disclosed by changing the "Disclose invalid usernames" under Administration > System > Settings > Security Settings > Disclose invalid usernames" to always or for a limited amount of time.

No debugs returned at all? if you are connected to the switch via SSH then please issue the command "terminal monitor" to replicate the output to the screen and share any debug output.

I am kinda running out of ideas here, my gut feeling is that this switch is not performing TACACS operations correctly. Or, as mentioned previously, it could be that the switch for some reason keeps losing the connection with ISE and accordingly falls back to the local database for both authentication and authorization.

One thing you can do to test this would be to remove the "local" keyword for TACACS and see if the behaviour would still be the same, if so, I would say the switch is hitting a software bug, if not, then it would related to some communication issues with ISE. However, please make sure that you have at least console access and that is configured with local database, otherwise you might look yourself out and had to reload the switch before you get access to it. Alternatively you can schedule a reload before you apply any changes. But let's first try to get to the bottom of this by relying on TACACS debugs and see if we get anything.

MHM Cisco World · ‎04-22-2024

Access to device and then show privilege' check in which privilege thenuser is

Also' in auth under thr policy set' there is option can you mention which selection you use for unknown user? The ISE live logs show that user is not found in internal identity db' can you you the selection and action of defualt authorization in ISE

MHM

mitros · ‎04-23-2024

LAB_SW_2.20#sh privilege
Current privilege level is 15

Q:The ISE live logs show that user is not found in internal identity db' can you you the selection and action of defualt authorization in ISE

A: I've answered in previous post just above, there is one user created on switch that is not added to ISE, so it throws user is not found in internal identity db

mitros · ‎04-23-2024

It seems that I've found a problem.

In CiscoISE Administration>Network Devices>selected device> Edit > TACACS Authentication Settings

It should be checked Legacy Cisco Device. I had other configured and it didn't work.

Pictures below :

Now, unregistered user gets message:

login as: admin
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied

And unauthorized commands get note:

LAB_SW_2.20#conf t
Command authorization failed.

All that followed by adequate status in CiscoISE Live Logs.

Thank You all for participating in troubleshooting!

MHM Cisco World · ‎04-23-2024

Thanks a lot for update us

Have a nice day

MHM