Cisco :: ISE 2.3 Device Administration using TACACS+

In this article, I will cover network device administration using TACACS+ on Cisco’s Identity Services Engine. Accompanied with a video demonstration, I will also list the TACACS+ configuration required for Cisco’s ASAv.

Configure the Network Device/s

In the video demonstration, I have used the ASAv as the network device I would like ISE to administer. Follow the steps below to configure the ASAv.

aaa-server TACACS+ protocol tacacs+ (configures TACACS+ to be used with aaa)
aaa-server TACACS+ (DMZ) host 10.1.1.10 (tells the ASAv which interface ISE can be reached)

key Cisco123 (enter your TACACS+ key)

aaa authentication enable console TACACS+ LOCAL (authenticates enable prompt via TACACS+ with LOCAL authentication as fallback)
aaa authentication ssh console TACACS+ LOCAL (authenticates ssh via TACACS+ with LOCAL authentication as a fallback)
aaa authentication telnet console TACACS+ LOCAL (authenticates telnet via TACACS+ with LOCAL authentication as a fallback)
aaa authentication serial console TACACS+ LOCAL (authenticates serial via TACACS+ with LOCAL authentication as a fallback)

ciscoasa(config)# show run | include aaa (verify configuration)

Configure Cisco ISE 2.3

Navigate to: Administration >>> System >>> Deployment

As per the screenshot below, edit your node and check the box ‘Enable Device Admin Service’.

NOTE: As mentioned in the video demonstration, this is a licensed feature.

 

Navigate to: Administration >>> Network Resources >>> Network Devices

As per screenshot below, add your network device ensuring you have included the correct TACACS+ key.

 

 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS profiles 

As per screenshot below, add your TACACS+ shell profile. You can create ones that fit your requirments.

 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS Command Sets 

As per screenshot below, add your own specific command sets.

 

Navigate to: Work Centers >>> Device Administration >>> Device Admin Policy Sets

As per screenshot below, add your TACACS+ policy set or modify the default policy set.

 

 

As per screenshot below, you can expand into your policy set and specify the relevant criteria. This is where you specify the user groups to be used, the command sets to be used and the shell profiles to be used. Please watch the video below for more information.

 

 

Verify Functionality

Navigate to: Operations >>> TACACS >>> Live Logs

As per screenshot below, you can check authentication and authorization has been successful.

 

 

Test User Access from Network Device

As per screenshot below we can see that the user has been authenticated successfully.

 

 

Video Demonstration

2 thoughts on “Cisco :: ISE 2.3 Device Administration using TACACS+

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.