11-29-2017 05:25 AM
HI folks, it seems when using ISE for device administration / tacacs I do NOT have the ability to authenticate against a specific AD group but can only specify an external identity store such as the actual domain controller, For Authorization I can use the external identity store AND also pick from AD groups.
The issue is when use ISE to provide tacacs for Nexus, the users privileges/roles/command sets are handled fine, but any valid AD account (think like John Smith working in HR) can log in and get the cli prompt even though they cannot run any commands.
For IOS devices this isn’t an issue because if you aren’t in a specific AD group the authorization fails and drops the connection, so john Smith in HR can attempt to connect but gets dropped before the cli prompt.
Is this even possible to prevent, all of the instructions and videos show the authentication piece as specifying internal users, or external identity stores, but in the case of external AD you probably have users that are valid to pass authentication but are NOT part of your network management team.
Thanks for reading my questio.
-Terry
Solved! Go to Solution.
12-01-2017 04:21 AM
Sounds to me that you’re switch is not acting like other network access devices, have you reached out to them and asked why?
authentication is the process of checking you have correct credentials
authorization is the process of granting access to certain resources
11-29-2017 02:46 PM
Hi Terry
What version of ISE are you using? I have been doing this stuff in ISE 2.2 and now ISE 2.3
If John Smith is a member of AD Security Group called Routers_FullAdmin then the problem is not ISE. We still have to use common sense when assigning AD Groups to users.
ISE Authorization can be made so water tight that you can end up achieving exactly what you want. Assign least privilege to the users and then create the Authorization Rules. I also use the DEVICE:LOCATION and DEVICE:TYPE in my rules and this works well.
You need to give us some examples of what you have configured so that we can guide you in the right direction.
11-30-2017 11:27 PM
Terry,
Authentication is the process of validating the users in your domain. Authorization verifies the group for you as long as you have downloaded the group and added in the authorization policy as authorization conditions.
Are you saying despite you verifying the authorization groups and denying access, the user is getting cli access?
Please clarify.
Thanks
Krishnan
12-01-2017 04:21 AM
Sounds to me that you’re switch is not acting like other network access devices, have you reached out to them and asked why?
authentication is the process of checking you have correct credentials
authorization is the process of granting access to certain resources
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide