ISE TACACS Configuration
In this blog we are going to setup device administration on ISE. There are a few moving parts so I will put the structure in bullet points below just in case you want to go directly to a certain part of the blog.
- Setup ISE node for Device Administration.
- Configure Identity Groups and Identity Users.
- Add a network device group and a network device.
- Create Policy Element conditions.
- Create a Read-Only, Read-Write command set and a TACACS profile.
- Create a device admin policy set to support read and write users.
- Configure a 3560 to authentication against ISE.
The best way to begin any configuration in ISE is to use Work Centers as this puts all the required configuration into a structured flow of operation.
Setup ISE Node for Device Administration
To get started we need to go into the Device Administration flow shown below.
The first step we need to take is make our ISE node a Device Administration node, we can do this by going to the Deployment section in the overview menu on the left hand side. We then need to select our ISE node by selecting Specific Nodes you could also choose All Policy Service Nodes, this would normally be the case in a larger environment with multiple PSN’s but for demonstration purposes I will manually select the node.
Configure Identity Groups and Identity Users
Now we need to configure two identity groups, we will create a network read-only and a read-write group.
Move along from the Overview tab to User Identity Groups tab. You will be presented with the following.
We want to add the two identity groups,
To add the above identity groups click the Add button and type the identity group names.
Now we need to create two users one will be used as a read-only and the other will be a read write user. Go back to the Identities tab and then click Add to create the users.
The below is the information required to create the user, you can also see that we have added user1 to the Network_RW group we created in the previous step, I will go ahead and create user2 and add them to the group Networks_RO.
Now that we have created the users shown below we can move on to Network Resources.
Add a Network Device Group and a Network Device
The first thing we want to do is create a default TACACS secret. To do this we should select Default Devices on the left hand side. We need to set Default Network Device Status to Enable this will be used when a device is not found in Network Devices. We aren’t interested in Radius right now but we will discuss this in another blog topic. We want to tick the box Enable TACACS and put in a Shared Secret. Do we need to use Enable Single Connect Mode it depends if you have devices that are chatty in TACACS, if you are using scripts on your network you may want to enable it for this demo we are going to leave it unticked.
Enable Single Connect Mode – When you enable this feature it limits the amount of TACACS transactions between the NAD and ISE, lets say you have a script running on a device instead of creating multiple TACACS requests in will create single TCP connection with the whole request being passed over that.
Now we want to create a group that we can add our device into when we come to create it, on the left hand side select Network Device Groups.
Now lets create a root group, I’m going to call mine allthingsnetworking and then create a sub group called HQ.
On the left hand side select Network Devices, here we can add our NAD to ISE. Click on Add and the below will appear. Input the Switch name, IP Address normally a loopback or management vlan. Set your Network Device Group settings that we created in the previous step and then enter your TACACS key, this can be the same one you used in the Default Devices section.
Create Policy Element conditions
Now we need to configure our Library Conditions to match the Identity User Groups that we created before, once these have been configured we can use them when we create our Device Policy Set.
To create our Library condition select the Policy Elements tab which will drop you in to Library Conditions.
To create a match for the group Network_RW we need to create a condition in the editor on the right hand side and then click save once you have selected the Identity Group, save the condition as the Identity Group name. We need to follow the same process for the Network_RO group.
Create a Read-Only, Read-Write command set and a TACACS profile
We now need to create the command set for the RW and RO group, on the left hand side select Results which will open up another sub menu. In the menu select TACACS Command Sets and we will see the below.
Click the Add button to add a command and you will see the below.
In the above screenshot I have created a command set called Permit_All_Commands and ticked the box Permit any command that is not listed below, we will use this command set for the RW identity group.
Lets create another command set for the RO identity group and limit the commands that users can run.
On the left hand side select TACACS Profiles, you will be presented with the below. We need to two TACACS profiles one for Network_RW and one for Networks_RW. The TACACS profile is where we set the privilege level that will be applied to the identity group when authenticating against TACACS.
Lets click and create our TACACS Profile like below, you can adjust the timeout and idle time to whatever suits your environment and security polices.
On the above read-only account I’ve set the privilege level to 1, using the TACACS Command Set that we created earlier they will have access to show commands and ping.
Create our Device Admin Policy Set
Now we need to create our Device Admin Policy Set which will use all of the different items that we have created through the previous steps. To create a new policy set go to the tab Device Admin Policy Sets under Device Administration. Below you can see the Default policy set, lets create a new one specific to Cisco Switches and apply the Device Type as Cisco Switch and set the Allowed Protocols to Default Device Admin. Now that we have created the policy set lets setup the AAA by going to the > under view.
Once you have opened up the Policy Set you will see the below. In the Authentication Policy section we can manually select the identity store to check. In this demo we will leave it set to All_User_ID_Stores this will then check all identity stores from internal to external ones e.g. if we had connected ISE to Active Directory it would run checks against this to but this is beyond the scope of this blog.
Open up the Authorization Policy, this is where we will specify our Identity Groups and Commands Profiles that we created earlier. As you can see below I have created policy for Networks_RO and Networks_RW and selected the correct Command Sets and Shell Profiles.
Cisco Switch AAA to ISE
The last step of this article is to get our switch authenticating TACACS against our ISE node. This last step we will focus completely on the CLI of our demo switch.
- We need to create a local user on our switch that will be used as a fallback in case TACACS becomes unavailable.
username cisco privilege 15 secret C1sco12345
- Enable AAA new model to allow us to define our TACACS server and a TACACS group.
tacacs server ISE address ipv4 10.1.7.100 key Cisco123! aaa group server tacacs+ ISE_GROUP server name ISE
- Set your TACACS source interface either to a Loopback or Management vlan.
ip tacacs source-interface Vlan7
- By using the aaa test command below you can confirm reachability to your ISE node.
HQ-SW1#test aaa group tacacs+ user1 Password1 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
- We now need to configure AAA for authentication and authorization. We can also configure our line vty using the method list we created called AAA.
aaa authentication login AAA group ISE_GROUP local aaa authentication enable default group ISE_GROUP enable aaa authorization exec AAA group ISE_GROUP local aaa authorization commands 0 AAA group ISE_GROUP local aaa authorization commands 1 AAA group ISE_GROUP local aaa authorization commands 15 AAA group ISE_GROUP local aaa authorization config-commands
line vty 0 4 authorization commands 0 AAA authorization commands 1 AAA authorization commands 15 AAA authorization exec AAA login authentication AAA
We are done the final thing to do is test the users we created and we can check the logs in the TACACS log viewer on ISE. As you can see below I have tested both our RW and RO user and they have hit the correct authentication and authorization policy’s.