Have a little bit of a situation where I'm trying to configure specific behavior for a user logging into an ASA, authenticated via an ISE server. I do not manage, configure or have any access whatsoever to the ISE box and am do not have any experience with its configuration. I'm going strictly based off what I'm being told by the admin.
The issue -
The ASA is configured with the following AAA commands:
aaa authentication serial console LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
I'm being told that there is no way to create a specific "enable" password for users in ISE so I'm resorting to using the local enable password on the ASA, thus no command "aaa authentication enable console..." command.
I want to be able to create a user in ISE, log into the ASA with and authenticate this user via ISE (this works so far), then I want to assign certain privilege levels with corresponding command sets (configured in ISE) to this user after they either:
- get placed directly into privilege exec using the "auto-enable" feature OR
- manually enter the enable password and get the assigned privilege level from ISE
So far, no matter what privilege group this user is placed in ISE (priv 1, 2...limited commands), the user is assigned privilege 15 once entering the enable password. "auto-enable" dumps them directly into privilege 15. It seems while using AAA against ISE, the user created is limited to either user exec at privilege 1 or privilege exec at 15 once they enter the enable password. There is no in-between.
I've tried adding the command "aaa authorization exec authentication-server" but have the same results. Command sets are not being passed down from the ISE server. Basic authentication has been verified working and I'm being told no error or failure logs are present in ISE. I'm not able to view ISE logs and AAA debugs on the ASA are non-existent.
I'm having a hard time believing that this cannot be done via ISE. Am I just having a brain fart? Am I missing something on the ASA to make this work? Is the ASA limited in the use of privilege levels while using a AAA server?
This is ASA code version 9.4(4)5
ASA 5525-X
Thanks.
No comments:
Post a Comment