TACACS+ and ISE:2.x Recommended Configuration :-

TACACS+ and ISE:2.x Recommended Configuration :-


Layer-3 and Layer-2 switches: -
Define TACACS SERVER: -
aaa group server tacacs+ ISE-GROUP

 server-private <primary ISE server> key <plain key>
 server-private <secondary ISE Server> key <plain key>


AAA Login Commands: -
aaa new-model
aaa authentication login ISEauth group ISE-GROUP local

aaa authorization exec ISEauth group ISE-GROUP local if-authenticated

line vty 0 15
 login authentication ISEauth
 authorization exec ISEauth


AAA Command Authorization Config: -
you can monitor and restrict the commands that have been issued in the Switch.
aaa authorization commands 1 default group ISE-GROUP local if-authenticated
aaa authorization commands 15 default group ISE-GROUP local if-authenticated
aaa authorization config-commands
Login Accounting Logs sent to ISE server: -
"Exec accounting” will capture details about user accessing the shell prompt where you run all the commands & “command accounting” keep track of what commands users execute on a Cisco device.
aaa accounting exec default start-stop group ISE-GROUP
aaa accounting commands 1 default start-stop group ISE-GROUP
aaa accounting commands 15 default start-stop group ISE-GROUP





ASA Firewall Configuration: -
Define TACACS SERVER: -
·        max-failed-attempts: - To specify the maximum number of failures that will be allowed for any server in the group before that server is deactivated. The default value is three.
·        reactivation-mode: -There are two different AAA server reactivation modes in ASA:
timed mode and depletion mode. The command below is the timed mode.
1.      With the timed mode, it reactivates a failed server after 30 seconds of downtime. In my limited testing, it continuously tried to reactivate the server after 30 seconds when I bring the TACACS+ server down.
2.      With the depletion mode shown below, the failed TACACS+ server will stay down until all servers in the group are in the failed state. The default deadtime is 10 minutes.
                                                           
aaa-server TACACS protocol tacacs+
 aaa-server TACACS+ max-failed-attempts 3
 reactivation-mode timed
aaa-server TACACS (inside) host <primary ISE server>
 timeout 5
 key *****
aaa-server TACACS (inside) host <secondary ISE server>
 timeout 5
 key *****
AAA Login Commands: -
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authorization exec authentication-server




AAA Command Authorization Config: -
 you can monitor and restrict the commands that have been issued in the ASA.
aaa authorization command TACACS LOCAL
Login Accounting Logs sent to ISE server: -
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa accounting command privilege 15 TACACS




ISE 2.x configuration:-

NOTE:- you need device admin License to configure tacacs+ in ISE2.x version and above.

Step1:- configure Shell profiles  having privilege 15 access


Step2:-
Configure READ WRITE command authorization or Command Sets



Step3:- 
Configure READ-ONLY access, by unchecking permit any commands and configure only specific commands, you can either permit or deny these specific commands as shown below



If you have any queries please comment below

1 Response to "TACACS+ and ISE:2.x Recommended Configuration :-"

  1. Anonymous says:

    Network Security Blog: Tacacs+ And Ise:2.X Recommended Configuration :- >>>>> Download Now

    >>>>> Download Full

    Network Security Blog: Tacacs+ And Ise:2.X Recommended Configuration :- >>>>> Download LINK

    >>>>> Download Now

    Network Security Blog: Tacacs+ And Ise:2.X Recommended Configuration :- >>>>> Download Full

    >>>>> Download LINK

Post a Comment

Powered by Blogger