Solved: CiscoISE policy applying on switch problem

mitros · ‎04-22-2024

Hello,

I have a problem with applying policies from CiscoISE 3.2 on switch C3750. It simply doesn't stop the unauthenticated users from logging in to switch, nor it prevent commands that are forbidden by the created policy.

In Live Logs I can see that CiscoISE recognizes not allowed attempt, it gives a red status and describes that authentication (or authorization) failed, but I can still do whatever I want on the switch.

As You can see, it throws "Command failed to match a Permit rule" but switch execute it anyway. Same with "INVALID" identity, it fails to authenticate, but the switch let it log in successfully...

Could You please give me advice what could be misconfigured when it acts like this.

TIA

mitros · ‎04-23-2024

It seems that I've found a problem.

In CiscoISE Administration>Network Devices>selected device> Edit > TACACS Authentication Settings

It should be checked Legacy Cisco Device. I had other configured and it didn't work.

Pictures below :

Now, unregistered user gets message:

login as: admin
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied

And unauthorized commands get note:

LAB_SW_2.20#conf t
Command authorization failed.

All that followed by adequate status in CiscoISE Live Logs.

Thank You all for participating in troubleshooting!

View solution in original post

MHM Cisco World · ‎04-22-2024

Share the config in SW'

The aaa and vty line

MHM

mitros · ‎04-22-2024

aaa group server tacacs+ TACACS-SERVERS
server 192.168.2.25
ip vrf forwarding MGMT
!
aaa authentication login default group TACACS-SERVERS local
aaa authentication login VTY group TACACS-SERVERS local
aaa authentication login CONSOLE local
aaa authentication enable default enable
aaa authentication dot1x default group tacacs+
aaa authorization config-commands
aaa authorization exec VTY group TACACS-SERVERS local if-authenticated
aaa authorization exec CONSOLE local
aaa authorization commands 0 VTY group TACACS-SERVERS local if-authenticated
aaa authorization commands 1 VTY group TACACS-SERVERS local if-authenticated
aaa authorization commands 15 VTY group TACACS-SERVERS local if-authenticated
aaa authorization network default group tacacs+
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group TACACS-SERVERS
aaa accounting commands 0 default start-stop group TACACS-SERVERS
aaa accounting commands 1 default start-stop group TACACS-SERVERS
aaa accounting commands 15 default start-stop group TACACS-SERVERS
aaa accounting system default start-stop group TACACS-SERVERS
!

!
line con 0
logging synchronous
login authentication CONSOLE
stopbits 1
line vty 0 4
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
transport preferred none
transport input ssh
line vty 5 15
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
transport preferred none
transport input ssh
!

MHM Cisco World · ‎04-22-2024

Since you change the auth from default to VTY

You need to specify that under vty lines

MHM

Aref Alsouqi · ‎04-22-2024

The line should already take care of that "aaa authentication login default group TACACS-SERVERS local".
.

MHM Cisco World · ‎04-22-2024

Change the Auth method from defualt to VTY under vty line' the exec level is send in auth process.

MHM

Aref Alsouqi · ‎04-22-2024

Your shared configs look good to me. Please share the TACACS command sets and authorization policies from ISE for review.

mitros · ‎04-22-2024

Revised aaa, and vty:

aaa group server tacacs+ TACACS-SERVERS
server 192.168.2.25
ip vrf forwarding MGMT
!
aaa authentication login VTY group TACACS-SERVERS local
aaa authentication enable default enable group tacacs+
aaa authentication dot1x default group tacacs+

aaa authorization config-commands
aaa authorization exec VTY group TACACS-SERVERS local
aaa authorization exec CONSOLE local
aaa authorization commands 0 VTY group TACACS-SERVERS local
aaa authorization commands 1 VTY group TACACS-SERVERS local
aaa authorization commands 15 VTY group TACACS-SERVERS local
aaa authorization network default group tacacs+

aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group TACACS-SERVERS
aaa accounting commands 0 default start-stop group TACACS-SERVERS
aaa accounting commands 1 default start-stop group TACACS-SERVERS
aaa accounting commands 15 default start-stop group TACACS-SERVERS
aaa accounting system default start-stop group TACACS-SERVERS

line con 0
logging synchronous
login authentication CONSOLE
stopbits 1

line vty 0 4
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
transport preferred none
transport input ssh

line vty 5 15
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
transport preferred none
transport input ssh

No success yet...

mitros · ‎04-22-2024

Aref Alsouqi · ‎04-22-2024

I can't see anything wrong with your configs so far. Could you please click on both TACACS logs in ISE, the one with the green icon and the one with the red icon and share those pages for review?

Also, the "Default" authorization rule should be configured with the deny "DenyAllCommands" command set, but this should be irrelevant to your issue.

Another thing I would recommend would be to configure a new authentication method list for console accesses and apply it to the console line, but again this shouldn't be relevant to your issue.

mitros · ‎04-22-2024

Aref Alsouqi · ‎04-22-2024

The successful log shows that the session of the user "admin2" did not match any command set, you can see that in the overview section on that page.

Could you please also share the "admin2" failed log, the one right below the one with the green icon?

mitros · ‎04-22-2024

Aref Alsouqi · ‎04-22-2024

Thanks for that. Based on the provided logs it seems that the command authorization should work as expected, ISE is clearly showing that there was a command authorization failure, so the switch should fail the authorization of that command as well. This leads me to think that maybe the switch is hitting a software bug that is causing this anomaly, or maybe the switch is continuously losing connection to ISE and it falls back to the local authorization?

You can look at the exact commands that were associated to the sessions by looking at TACACS report logs in "Operations > Reports > Reports > Device Administration > TACACS Authorization".

I would try to enable TACACS debugs and look at the output while trying to issue a command that shouldn't be allowed and see what the switch returns. To enable TACACS debugs you would need these commands:

debug aaa authorization
debug tacacs

Also, you mentioned in your original post that the unauthenticated users are able to log into the switch? could you elaborate more on this please?

mitros · ‎04-22-2024

TACACS report logs in "Operations > Reports > Reports > Device Administration > TACACS Authorization" shows empty past 7 days??

Q: Also, you mentioned in your original post that the unauthenticated users are able to log into the switch? could you elaborate more on this please?

A: That is user which I created on switch, but didn't add it to CiscoISE identities. ISE doesn't know for it, so can't find it in Users Identity Groups. Therefore it call that user INVALID - cant pass authentication ( at least for ISE, in reality it can log in to switch no problem)

LAB_SW_2.20#debug aaa authorization
AAA Authorization debugging is on
LAB_SW_2.20#debug tacacs
TACACS access control debugging is on
LAB_SW_2.20#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LAB_SW_2.20(config)#
LAB_SW_2.20(config)#
LAB_SW_2.20(config)#

"configuration terminal" should be forbidden, but switch executes it. Logs in CiscoISE however reports fail authorization on that command, picture attached below: