12/1/2021»»Wednesday

Tacacs+ Ise

12/1/2021

Overview

Tacacs+ is an authentication protocol used to validate users to access and manage network devices. It is widely used as part of network security applications. For more information about Tacacs protocol, we let the owner of the protocol to explain in detail on this link.

Well it doesn't seem to matter what I think, because Cisco has publicly stated that TACACS+ will come to ISE at some point. But at least I have this blog to use as a soapbox to stand on & a. Introduction This document describes how to configure TACACS+ Authentication and Command Authorization based on Microsoft Active Directory (AD) group membership of a user with Identity Service Engine (ISE) 2.0 and later. ISE uses AD as an external identity store to store resources such as users, machines, groups, and attributes.

This document describes required action on both Verge switches and Cisco ISE. This is a tested configuration for basic usage. The configuration on ISE side can be improved, but this is out of our scope here.

Configuration

Verge Configuration

All Angora edge switches running version greater than 4.0, support TACACS+ . The exact same configuration provided below is applicable to all models and software versions (including stacked device groups)

To configure TACACS+ authentication, you basically need to define TACACS+ server (which in this document case, is a Cisco ISE) and tell the device to go and check the user validity with this server. You can configure more than one server and prioritize them to send the requests. Here, we are using only a single server for quick and easy setup. All timeouts are left at default values. You can check TACACS+ commands and all default values from the TACACS+ command line documentation, located on this link.

(config)#aaa authentication login authorization default tacacs local

(config)#aaa authentication enable authorization default tacacs

(config)#tacacs-server host 192.168.1.15 key angora

(config)#tacacs-server host source-interface vlan 1

This is all the configuration items you need on Verge Switches side. Now lets configure Cisco ISE.

Cisco Identity Services Engine (ISE) Configuration

Cisco ISE is used to securely accessing to network resources for users and devices. It is basically a radius server, providing 802.1x services, with enhanced features such as profiling. Beside radius support, it can also act as a tacacs server, to simplify secure management access to network devices.

You can find information about the product from Cisco website.

This section of the document, will guide you configure Cisco ISE, to work with Verge switches for tacacs functionality. ISE software version used to prepare this document, is 2.6 which is the latest version as of the date of publication of this document.

To start configuring tacacs functionality, you need to make sure that, tacacs service is enabled.

To enable tacacs service, use following menu:

Work Centers->Device Administration->Overview->Deployment

You need to activate all or specific ISE nodes, to provide tacacs services.

Once the tacacs service is enabled, you can start configuring the basics. Rest of the configuration will go through the “Work Centers->Device Administration” menu

Create network device

First, you must define the network device that will be accessed by tacacs credentials. To create a new device, use network resources menu

Work Centers->Device Administration->Network Resources

From the network resources section menu, click “Network Devices”, and then “+Add” tab. A new page will be opened to enter, the device informations.

2.4
  • Fill the mandatory fields on the form.
  • Keep the “Device Profile” as Cisco
  • Check “Tacacs Authentication Settings” and write the same secret that you entered in switch configuration, into the shared secret field.

Be aware that you need to enter the same secret on both side, otherwise your tacacs requests will be rejected, and you will not be able to enter into device CLI.

Below is a sample configuration:

Click save at the bottom of the page, to create the network device.

Once created, the device will be listed as shown below:

Create Tacacs Profile

Create new tacacs profile by clicking “+Add” from;

Device Administration->Policy Elements->Results->Tacacs Profiles

In this example, a new profile to assign user into privilege level 15, which is capable to check all switch functionalities and configure the device.

Create Command Sets

Command sets are used. to identify the commands allowed to the users. As Angora Verge switches are currently not supporting tacacs command authorization, you simply need to create a simple command set that will allow all commands. Commands allowed to a user can be distinguished by the privileges defined in the tacacs profile.

To create a command set, click “+Add” from;

Device Administration->Policy Elements->Results->Tacacs Command Sets

Simply add an appropriate name, check “Permit any command that is not listed below” box, and “Save”.

Create User Identity Groups

It is usually a good idea, to group users with the same privilege into a user group.

To create a new user group, click “+Add” from;

Tacacs ise license

Device Administration->User Identity Groups->User Identity Groups

In the following example, a user group named “Privilege 15 Users” is created:

Create User

Tacacs+ Ise

To create actual user accounts to be used for device access, Click “+Add” from;

Device Administration->Identities->Users

Add mandatory fields such as “Name” and “Login Password” and assign the user into appropriate group, in this case, “Privilege 15 Users”

Click save to create the user. You can add as many user as you want by repeating the same procedure. You can also use other directory services for username and password control, but the scope of this document is limited to ISE internal user database.

Since, devices and users are created, you need to create a policy to accept tacacs requests.

Tacacs Ise 2.3

Update Policy Sets

Cisco ISE comes with a set of preconfigured policy sets. To check the policy sets, and add new policies, use the following menu:

Device Administration->Device Admin Policy Sets

Click the gear icon on the right side of the “default” line to add a “new row above”

Change the name of new policy set, and click the “+” sign on the “Conditions” column.

For basic functionality, you can use a condition that will match to any device created before. In the right hand side “Editor” section, select “DEVICE:Device Type” Equals to All Device Types

Click Save to save this condition into the library, and then click “Use” to add this condition into policy set.

Once the new policy set is defined, click the “>” (arrow) sign to open the policy set details page.

Expand the “Authorization Policy” line. Add new row on above by clicking the gear icon on the end of the default policy line.

Rename the rule and click “+” to add a new condition. This condition will be used to match the user group.

On the editor section, select “Identity Group:Name” Equals to “User Identity Groups: Privilege 15 Groups”, and click save to add this condition into the library.

Tacacs Ise Configuration

Click “Use” to return policy definition page.

To finalize the policy set, choose the command sets and shell profiles defined above, and click save to activate the policy sets.

This concludes the configuration required on Cisco ISE. You can now try to log into the device that you add into ISE, with the user created.

A successful login attempt, will be shown in tacacs live logs, that you reach from;

Operations->Tacacs->Live logs

Here is a sample log: