TACACS+ and ISE:2.x Recommended Configuration :-
TACACS+ and ISE:2.x Recommended Configuration :-
ISE 2.x configuration:-
NOTE:- you need device admin License to configure tacacs+ in ISE2.x version and above.
Step1:- configure Shell profiles having privilege 15 access
Step2:-
Configure READ WRITE command authorization or Command Sets
Step3:-
Configure READ-ONLY access, by unchecking permit any commands and configure only specific commands, you can either permit or deny these specific commands as shown below
If you have any queries please comment below
Layer-3 and Layer-2 switches: -
Define TACACS SERVER:
-
aaa group server tacacs+ ISE-GROUP
server-private <primary ISE server> key <plain key>
server-private <secondary ISE Server> key <plain key>
AAA Login Commands: -
aaa new-model
aaa authentication login ISEauth group ISE-GROUP local
aaa authorization exec ISEauth group ISE-GROUP local if-authenticated
line vty 0 15
login authentication ISEauth
authorization exec ISEauth
AAA Command
Authorization Config: -
you can monitor and restrict the commands that have
been issued in the Switch.
aaa authorization commands 1
default group ISE-GROUP local if-authenticated
aaa authorization commands 15
default group ISE-GROUP local if-authenticated
aaa authorization config-commands
Login Accounting Logs
sent to ISE server: -
"Exec accounting” will capture details about user
accessing the shell prompt where you run all the commands & “command
accounting” keep track of what commands users execute on a Cisco device.
aaa accounting exec default start-stop group ISE-GROUP
aaa accounting commands 1 default start-stop group ISE-GROUP
aaa accounting commands 15 default start-stop group ISE-GROUP
ASA Firewall Configuration: -
Define TACACS SERVER:
-
·
max-failed-attempts: - To specify the maximum number of
failures that will be allowed for any server in the group before that server is
deactivated. The default value is three.
·
reactivation-mode: -There are two different AAA server
reactivation modes in ASA:
timed
mode and depletion mode. The command below is the timed mode.
1.
With
the timed mode, it reactivates a failed server after 30 seconds of downtime. In
my limited testing, it continuously tried to reactivate the server after 30
seconds when I bring the TACACS+ server down.
2.
With
the depletion mode shown below, the failed TACACS+ server will stay down until
all servers in the group are in the failed state. The default deadtime is 10
minutes.
aaa-server TACACS protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
reactivation-mode timed
aaa-server TACACS (inside) host
<primary ISE server>
timeout 5
key *****
aaa-server TACACS (inside) host
<secondary ISE server>
timeout 5
key *****
AAA Login Commands: -
aaa authentication http console
TACACS LOCAL
aaa authentication ssh console
TACACS LOCAL
aaa authentication enable console
TACACS LOCAL
aaa authentication telnet console
TACACS LOCAL
aaa authentication serial console
TACACS LOCAL
aaa authorization exec
authentication-server
AAA Command
Authorization Config: -
you can monitor
and restrict the commands that have been issued in the ASA.
aaa authorization command TACACS
LOCAL
Login Accounting Logs
sent to ISE server: -
aaa accounting telnet console
TACACS
aaa accounting ssh console TACACS
aaa accounting command privilege 15
TACACS
Network Security Blog: Tacacs+ And Ise:2.X Recommended Configuration :- >>>>> Download Now
>>>>> Download Full
Network Security Blog: Tacacs+ And Ise:2.X Recommended Configuration :- >>>>> Download LINK
>>>>> Download Now
Network Security Blog: Tacacs+ And Ise:2.X Recommended Configuration :- >>>>> Download Full
>>>>> Download LINK