July 19, 2018

Cisco :: ISE 2.3 Device Administration using TACACS+

(Last Updated On: 12th October 2017)

In this article, I will cover network device administration using TACACS+ on Cisco’s Identity Services Engine. Accompanied with a video demonstration, I will also list the TACACS+ configuration required for Cisco’s ASAv.

Configure the Network Device/s

In the video demonstration, I have used the ASAv as the network device I would like ISE to administer. Follow the steps below to configure the ASAv.

aaa-server TACACS+ protocol tacacs+ (configures TACACS+ to be used with aaa)
aaa-server TACACS+ (DMZ) host 10.1.1.10 (tells the ASAv which interface ISE can be reached)

key Cisco123 (enter your TACACS+ key)

aaa authentication enable console TACACS+ LOCAL (authenticates enable prompt via TACACS+ with LOCAL authentication as fallback)
aaa authentication ssh console TACACS+ LOCAL (authenticates ssh via TACACS+ with LOCAL authentication as a fallback)
aaa authentication telnet console TACACS+ LOCAL (authenticates telnet via TACACS+ with LOCAL authentication as a fallback)
aaa authentication serial console TACACS+ LOCAL (authenticates serial via TACACS+ with LOCAL authentication as a fallback)

ciscoasa(config)# show run | include aaa (verify configuration)

Configure Cisco ISE 2.3

Navigate to: Administration >>> System >>> Deployment

As per the screenshot below, edit your node and check the box ‘Enable Device Admin Service’.

NOTE: As mentioned in the video demonstration, this is a licensed feature.

 

Navigate to: Administration >>> Network Resources >>> Network Devices

As per screenshot below, add your network device ensuring you have included the correct TACACS+ key.

 

 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS profiles 

As per screenshot below, add your TACACS+ shell profile. You can create ones that fit your requirments.

 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS Command Sets 

As per screenshot below, add your own specific command sets.

 

Navigate to: Work Centers >>> Device Administration >>> Device Admin Policy Sets

As per screenshot below, add your TACACS+ policy set or modify the default policy set.

 

 

As per screenshot below, you can expand into your policy set and specify the relevant criteria. This is where you specify the user groups to be used, the command sets to be used and the shell profiles to be used. Please watch the video below for more information.

 

 

Verify Functionality

Navigate to: Operations >>> TACACS >>> Live Logs

As per screenshot below, you can check authentication and authorization has been successful.

 

 

Test User Access from Network Device

As per screenshot below we can see that the user has been authenticated successfully.

 

 

Video Demonstration

Previous «
Next »

Security Solutions Consulting Engineer @ Cisco - CCNA R&S/CCNA Security, CCDA & CCNP R&S - Currently working on CCIE Security. Sharing my knowledge and passion for technology. All views are mine and NOT of my company.

2 Comments

  1. thanks mate for this excellent.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: