Cisco ISE Device Administration using TACACS+

In this article, I will cover network device administration using TACACS+ on Cisco’s Identity Services Engine. Accompanied with a video demonstration, I will also list the TACACS+ configuration required for Cisco’s ASAv.

Configure the Network Device/s
In the video demonstration, I have used the ASAv as the network device I would like ISE to administer. Follow the steps below to configure the ASAv.
aaa-server TACACS+ protocol tacacs+ (configures TACACS+ to be used with aaa)
aaa-server TACACS+ (DMZ) host 10.1.1.10 (tells the ASAv which interface ISE can be reached)
key Cisco123 (enter your TACACS+ key)
aaa authentication enable console TACACS+ LOCAL (authenticates enable prompt via TACACS+ with LOCAL authentication as fallback)
aaa authentication ssh console TACACS+ LOCAL (authenticates ssh via TACACS+ with LOCAL authentication as a fallback)
aaa authentication telnet console TACACS+ LOCAL (authenticates telnet via TACACS+ with LOCAL authentication as a fallback)
aaa authentication serial console TACACS+ LOCAL (authenticates serial via TACACS+ with LOCAL authentication as a fallback)
ciscoasa(config)# show run | include aaa (verify configuration)
Configure Cisco ISE
Navigate to: Administration >>> System >>> Deployment
Edit your node and check the box ‘Enable Device Admin Service’.
NOTE: As mentioned in the video demonstration, this is a licensed feature.
 
Navigate to: Administration >>> Network Resources >>> Network Devices
Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS profiles 
 
Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS Command Sets 
 
Navigate to: Work Centers >>> Device Administration >>> Device Admin Policy Sets
Verify Functionality
Navigate to: Operations >>> TACACS >>> Live Logs
Additionally, if you would like to enable command authorization, you can use the following configuration below.
 
Note: If command authorization is implemented wrong, you could end up locking yourself out of your devices.
Enabling Authorization
 
aaa authorization command TACACS+ LOCAL (allows command authorization to be configured for all administrators on all consoles)
 
aaa authorization exec authentication-server (uses the authenticating servers)
 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: