Tweet
TACACS SERVICE DEPLOYMENT AND IMPLEMENTATION
(By Minh Dang, Feb 2019)
(By Minh Dang, Feb 2019)
ON ISE SIDE
Step 1: Check if the TACACS service already enable in the ISE deployment
Make sure the device admin checked
Step 2: Create IOS command sets and tacacs profiles. We can have two IOS commands set, “level7commandset” and “fullcommandset”. On the tacacs profile, we may have “monitor or readonly” and “administrator”.
In the screenshot below, “level7commandset” has been created with two commands in it. You can check the syntax of the command by clicking the validate checkmark on the right side. Hit Submit after done.
“Level15commandset” also created with full set.
Step 3: Create two tacacs profiles, NetworkAdminLevel15 and monitor or NetworkAdminLevel1.
Tacacs profile for monitoring only administrator
Step 5: Create two internal user groups. Administrator (level 15) or monitor (level 1). These users are local to Cisco ISE.
Step 6: Create tacacs policy in ISE. From the menu, go to Work Center, device monitoring policy.
Add a new tacacs policy above the default. Please pay attention to the condition to kick in the policy. Here we select “All device types” and match we protocols “TACACS”. We can change the device type to specifics devices if we want.
Step 7: In the authentication policy, we can select “AllUserIDStore”. We can create customized ID stores that combined AD users, RSA Token servers or DualBio data sources and apply it here.
Step 8: create authorization rules in the TACACS policy. This rules simply check the groups that the users belong to and then assign according authorizaton to it.
Step 9: create testing user in monitoring or level 1.
Assign the user to monitoring group or level 1. Hit Submit after done.
ON THE CLIENT SIDE, PLEASE THE TEMPLATE FOR SWITCH, NEXUS, WIRELESS LAN CONTROLLERS, WIRELESS LAN MOBILITY EXPRESS AND ASA
*****************
CATALYST SWITCHES
*****************
aaa new-model
tacacs server ise03
address ipv4 10.215.26.50
key VnPro123
tacacs server ise04
address ipv4 10.215.26.49
key VnPro123
aaa group server tacacs+ ISESRV
server name ise03
server name ise04
aaa authentication login VTY group ISESRV local
aaa authentication enable default group ISESRV enable
aaa authorization exec CON none
aaa authorization console
aaa authorization exec VTY group ISESRV local if-authenticated
aaa accounting exec default start-stop group ISESRV
aaa accounting commands 1 default start-stop group ISESRV
aaa accounting commands 15 default start-stop group ISESRV
aaa accounting network default start-stop group ISESRV
aaa accounting connection default start-stop group ISESRV
aaa accounting system default start-stop group ISESRV
ip tacacs source-interface [loopback0 | vlan1]
line con 0
authorization exec CON
line vty 0 4
transport input ssh
login authentication VTY
authorization exec VTY
************************************************** ***
*************************
NEXUS SWITCH
*************************
feature tacacs+
tacacs-server host 10.215.26.50 key VnPro123
aaa group server tacacs+ ISESRV
server 10.215.26.50
aaa authentication login default group ISESRV none
aaa authentication login console local
aaa authorization config-commands default group ISESRV local
aaa authorization commands default group ISESRV local
************************************************** ***
*************************
WIRELESS LAN CONTROLLER
*************************
Cisco Mobility Express - Cisco ME
Controller> config tacacs auth add 1 10.192.5.35 ascii "Cisco123"
Controller> config tacacs acct add 1 10.192.5.35 ascii "Cisco123"
Controller> config tacacs athr add 1 10.192.5.35 ascii "Cisco123"
Controller> config aaa auth mgmt local tacacs
************************************************** ***
*************************
WIRELESS LAN CONTROLLER 5508/5520
*************************
Step 1: Enable TACACS service on 5500 controllers
Please login to the controller GUI. Then go to Security TAB.
Step 2: Select Security TAB ->TACACS (Authentication, Accouting, Authorization)
From the menu, please add 10.192.5.35, port 49
Step 3: Go to Priority Order, make changes to order of authentication
Radius -> Not used
Order used for Authentication -> Local
-> TACACS
************************************************** ***
*************************
ASA
*************************
Create a local user with full privilege for fallback with the username command as shown here
ciscoasa(config)# username cisco password cisco privilege 15
Define TACACS server ISE, specify interface, protocol ip address, and tacacs key.
aaa-server ISE protocol tacacs+
aaa-server ISE (mgmt) host 10.192.5.35
key Cicso123
Test the TACACS server reachability with the test aaa command as shown.
ciscoasa# test aaa authentication ISE host 10.192.5.35 username administrator Cisco123
Configure authentication for ssh, exec authorization and command authorizations as shown below. With aaa authorization exec authentication-server auto-enable you will be placed in privileged EXEC mode automatically.
aaa authentication ssh console ISE
aaa authorization command ISE
aaa authorization exec authentication-server auto-enable
ssh 0.0.0.0 0.0.0.0 mgmt
Note: With the commands above, authentication is done on ISE, user is placed directly into the privilege mode and command authorization takes place. This command is required on ASA because ASA does not understand/ accept Cisco AV-pair value.