Cisco ISE Device Administration using TACACS+

In this article, I will cover network device administration using TACACS+ on Cisco’s Identity Services Engine. Accompanied with a video demonstration, I will also list the TACACS+ configuration required for Cisco’s ASAv.

Configure the Network Device/s
In the video demonstration, I have used the ASAv as the network device I would like ISE to administer. Follow the steps below to configure the ASAv.
aaa-server TACACS+ protocol tacacs+ (configures TACACS+ to be used with aaa)
aaa-server TACACS+ (DMZ) host 10.1.1.10 (tells the ASAv which interface ISE can be reached)
key Cisco123 (enter your TACACS+ key)
aaa authentication enable console TACACS+ LOCAL (authenticates enable prompt via TACACS+ with LOCAL authentication as fallback)
aaa authentication ssh console TACACS+ LOCAL (authenticates ssh via TACACS+ with LOCAL authentication as a fallback)
aaa authentication telnet console TACACS+ LOCAL (authenticates telnet via TACACS+ with LOCAL authentication as a fallback)
aaa authentication serial console TACACS+ LOCAL (authenticates serial via TACACS+ with LOCAL authentication as a fallback)
ciscoasa(config)# show run | include aaa (verify configuration)
Configure Cisco ISE
Navigate to: Administration >>> System >>> Deployment
Edit your node and check the box ‘Enable Device Admin Service’.
NOTE: As mentioned in the video demonstration, this is a licensed feature.
 
Navigate to: Administration >>> Network Resources >>> Network Devices
Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS profiles 
 
Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS Command Sets 
 
Navigate to: Work Centers >>> Device Administration >>> Device Admin Policy Sets
Verify Functionality
Navigate to: Operations >>> TACACS >>> Live Logs
Additionally, if you would like to enable command authorization, you can use the following configuration below.
 
Note: If command authorization is implemented wrong, you could end up locking yourself out of your devices.
Enabling Authorization
 
aaa authorization command TACACS+ LOCAL (allows command authorization to be configured for all administrators on all consoles)
 
aaa authorization exec authentication-server (uses the authenticating servers)
 

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply