Cisco :: ISE 2.3 Device Administration using TACACS+

In this article, I will cover network device administration using TACACS+ on Cisco’s Identity Services Engine. Accompanied with a video demonstration, I will also list the TACACS+ configuration required for Cisco’s ASAv.

Configure the Network Device/s

In the video demonstration, I have used the ASAv as the network device I would like ISE to administer. Follow the steps below to configure the ASAv.

aaa-server TACACS+ protocol tacacs+ (configures TACACS+ to be used with aaa)
aaa-server TACACS+ (DMZ) host 10.1.1.10 (tells the ASAv which interface ISE can be reached)

key Cisco123 (enter your TACACS+ key)

aaa authentication enable console TACACS+ LOCAL (authenticates enable prompt via TACACS+ with LOCAL authentication as fallback)
aaa authentication ssh console TACACS+ LOCAL (authenticates ssh via TACACS+ with LOCAL authentication as a fallback)
aaa authentication telnet console TACACS+ LOCAL (authenticates telnet via TACACS+ with LOCAL authentication as a fallback)
aaa authentication serial console TACACS+ LOCAL (authenticates serial via TACACS+ with LOCAL authentication as a fallback)

ciscoasa(config)# show run | include aaa (verify configuration)

Configure Cisco ISE 2.3

Navigate to: Administration >>> System >>> Deployment

As per the screenshot below, edit your node and check the box ‘Enable Device Admin Service’.

NOTE: As mentioned in the video demonstration, this is a licensed feature.

 

Navigate to: Administration >>> Network Resources >>> Network Devices

As per screenshot below, add your network device ensuring you have included the correct TACACS+ key.

 

 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS profiles 

As per screenshot below, add your TACACS+ shell profile. You can create ones that fit your requirments.

 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS Command Sets 

As per screenshot below, add your own specific command sets.

 

Navigate to: Work Centers >>> Device Administration >>> Device Admin Policy Sets

As per screenshot below, add your TACACS+ policy set or modify the default policy set.

 

 

As per screenshot below, you can expand into your policy set and specify the relevant criteria. This is where you specify the user groups to be used, the command sets to be used and the shell profiles to be used. Please watch the video below for more information.

 

 

Verify Functionality

Navigate to: Operations >>> TACACS >>> Live Logs

As per screenshot below, you can check authentication and authorization has been successful.

 

 

Test User Access from Network Device

As per screenshot below we can see that the user has been authenticated successfully.

 

 

Video Demonstration

Tags: , , , , , , , , , ,

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he had achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

This Post Has 2 Comments

  1. CertKiller 10/05/2018 Reply

    thanks mate for this excellent.

    1. Kelvin 16/05/2018 Reply

      Hey CertKiller,

      No problem, thanks for reading/watching 🙂

      Regards,

      Kelvin

Leave a Reply