Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1148
Views
1
Helpful
3
Replies

ISE tacacs authentication against an AD group??

Go to solution
terry2776
Level 1
Level 1

‎11-29-2017 05:25 AM

HI folks, it seems when using ISE for device administration / tacacs I do NOT have the ability to authenticate against a specific AD group but can only specify an external identity store such as the actual domain controller, For Authorization I can use the external identity store AND also pick from AD groups.

The issue is when use ISE to provide tacacs for Nexus, the users privileges/roles/command sets are handled fine, but any valid AD account (think like John Smith working in HR) can log in and get the cli prompt even though they cannot run any commands.

For IOS devices this isn’t an issue because if you aren’t in a specific AD group the authorization fails and drops the connection, so john Smith in HR can attempt to connect but gets dropped before the cli prompt.

Is this even possible to prevent, all of the instructions and videos show the authentication piece as specifying internal users, or external identity stores, but in the case of external AD you probably have users that are valid to pass authentication but are NOT part of your network management team.

Thanks for reading my questio.

-Terry

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-01-2017 04:21 AM

Sounds to me that you’re switch is not acting like other network access devices, have you reached out to them and asked why?

authentication is the process of checking you have correct credentials

authorization is the process of granting access to certain resources

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎11-29-2017 02:46 PM

Hi Terry

What version of ISE are you using?  I have been doing this stuff in ISE 2.2 and now ISE 2.3

If John Smith is a member of AD Security Group called Routers_FullAdmin then the problem is not ISE.  We still have to use common sense when assigning AD Groups to users.

ISE Authorization can be made so water tight that you can end up achieving exactly what you want. Assign least privilege to the users and then create the Authorization Rules.  I also use the DEVICE:LOCATION and DEVICE:TYPE in my rules and this works well.

You need to give us some examples of what you have configured so that we can guide you in the right direction.

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-30-2017 11:27 PM

Terry,

Authentication is the process of validating the users in your domain. Authorization verifies the group for you as long as you have downloaded the group and added in the authorization policy as authorization conditions.

Are you saying despite you verifying the authorization groups and denying access, the user is getting cli access?

Please clarify.

Thanks

Krishnan

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-01-2017 04:21 AM

Sounds to me that you’re switch is not acting like other network access devices, have you reached out to them and asked why?

authentication is the process of checking you have correct credentials

authorization is the process of granting access to certain resources

0 Helpful
Customers Also Viewed These Support Documents