In the first article in this series, we saw how to perform user authentication for device administration using the Cisco ISE. In that article, we made use of the default authentication and authorization policies available on the Cisco ISE. In this second part, we will enable authorization for users connecting to devices for management purposes by configuring our own authorization policies.
The network diagram we used in the first article is as shown below:
One common thing done regarding device administration is assigning different privilege levels to users based on their roles or job function. We can use the Cisco ISE to achieve this authorization function. Let’s use a sample scenario:
- When a user (admin1) belonging to the “Admin” group logs into the router, he/she should be placed at a privilege level of 15.
- When a user (helpdesk1) belonging to the “Helpdesk” group logs into the router, he/she should be placed at a privilege level of 2.
To achieve this, we need to first define an AAA authorization method on the router. The configuration on the router is as follows:
username admin1 privilege 15 secret admin1 username helpdesk1 privilege 2 secret helpdesk1 ! aaa authorization exec VTY group radius local ! line vty 0 4 authorization exec VTY
Now we will go to the ISE. In the last article, I mentioned “Network Device Groups” but I didn’t talk about “User Identity Groups”. The concept is similar: a group of user identities that share similar functions or characteristics. Therefore, we can create two Identity groups: Admin and Helpdesk.
To do this, we navigate to Administration → Identity Management → Groups → User Identity Groups.
As you can see, there are some default user identity groups available on the Cisco ISE but we will go ahead and add ours.
Remember to click the Submit button to add your configuration. Now, I will add users to both groups – a user “admin1” to the Admin group and a user “helpdesk1” to the Helpdesk group. We do this from Administration → Identities → Users.
Since we are dealing with authorization, we will configure authorization policies for these two scenarios. To put it in simple terms, we want authorization policies that say:
“If user belongs to group_X and wants to connect to device_Y, then assign a privilege level of Z.”
We have already defined “group_X” as our user identity group. We may define “device_Y” by IP address or other attributes such as location or device type or we can just use the default “All devices” group. The final element we have not defined is the “privilege level of Z” which is the result part of the authorization policy.
To define the authorization result, we navigate to Policy → Policy Elements → Results → Authorization → Authorization Profiles and click the “Add” button. I will use the following settings for my first authorization result:
- Name: AUTHOR_RESULT_PRIV_15
- Description: Assign privilege level 15
- Access Type: ACCESS_ACCEPT
- Advanced Attributes Settings: cisco-av-pair= “shell:priv-lvl=15”
Note: For the Advanced Attributes Settings, select Cisco and then select “cisco-av-pair” and finally, paste “shell:priv-lvl=15” in the corresponding text field.
You can follow the same steps to create the second authorization result for privilege level 2. I created mine as “AUTHOR_RESULT_PRIV_2”.
We can now define our authorization policy. To do this, we will navigate to Policy → Authorization. Since policies are matched from top to bottom (you can change this default behavior), I will add our more specific policies to the top of the table. To add a new policy, you can click the drop-down arrow next to the “Edit” of any of the rules on the page and select “Insert New Rule Above” or “Insert New Rule Below”. You can also duplicate rules if you wish.
I will be adding my policies to the top so I will select “Insert New Rule Above”. I will use the following configuration for my first authorization policy:
- Rule Name: AUTHOR_POLICY_PRIV_15
- Conditions: If User Identity Group = “Admin” AND Network Access Device:Device IP Address = 10.0.0.251
- Permissions: AUTHOR_RESULT_PRIV_15
Note: To access the authorization results, under Profiles, select ‘Standard’ and then you should see the authorization results you created.
You can create a similar authorization policy for privilege level 2. An easy way to do this is to duplicate the policy you just created and change the name, conditions and result.
Remember to save your authorization policies by clicking the “Save” button at the bottom of the page. Now for the moment of truth – let’s test. We will telnet to the router from the router itself and try the usernames in order.
Great! It works as expected. You can take a look at the authentication detail report by navigating to Operations → Authentications and clicking the icon under the Details column. There you will see the authorization profile and the results that were matched for each user.
Now I have a question for you: what privilege level will a user who doesn’t belong to either the Admin or Helpdesk group be placed? We can check this out by logging in with the “cisco” username.
Such a user will be placed at the default privilege level configured for that VTY line. For Cisco IOS, the default privilege level for VTY lines is 1. This is because the login of that user will match the default authorization policy (check previous article) which just sends a RADIUS Access-Accept message. If an enable password/secret is configured on the router and that user knows it, then the user can elevate his/her privileges.
Note: If the helpdesk users know the enable password/secret, they can also elevate their privileges.
If we alter that default policy to deny all, then users who are not part of either the “Admin” or “Helpdesk” group will not be able to login.
In this article we have defined our own authorization elements and policies to assign users to different privilege levels based on the user group they belong to.
I hope you have found this article helpful and I look forward to the next article in the series.
References and further reading
- Cisco Identity Services Engine User Guide, Release 1.2: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html
- LabMinutes# SEC0036 – Cisco ISE 1.1 Device Admin RADIUS Authorization: https://www.youtube.com/watch?v=VH98hTMeEvk
- cisco-avpair: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6b7.html#18268