Configuring TACACS+ on ASA5525 with CIsco ISE for AAA

Antony Paul — Fri, 21 Feb 2020 18:59:47 GMT

Hello all,

Hoping to get some assistance with configuring TACACS+ on an ASA 5525 with ISE for aaa

Environment:

ASA5525 - 9.8(2)20 active/standby cluster
ISE - 2.1.0.474

We currently use RADIUS for aaa and are looking to switch over to TACACS+

Following the Cisco documentation I have cobbled together the below config

------------------------------------------------------------

aaa-server ise-tacacs protocol tacacs+
aaa-server ise-tacacs max-failed-attempts 3

aaa-server ise-tacacs (inside) host xx.xx.xx.xx
key ################

clear configure aaa
aaa authentication ssh console ise-tacacs LOCAL
aaa authentication enable console ise-tacacs LOCAL
aaa authentication http console ise-tacacs LOCAL
aaa authentication secure-http-client

aaa authorization exec authentication-server auto-enable

aaa authorization http console ise-tacacs

aaa authorization command ise-tacacs LOCAL

aaa accounting ssh console ise-tacacs
aaa accounting serial console ise-tacacs
aaa accounting enable console ise-tacacs

-----------------------------------------------------------

Now my main concern is locking everyone out either from authentication or from command authorization. That would be, for want of a better phrase, a resume generating event. Whilst I vaguely understand the aaa authentication commands above I am not so sure of things to feel safe enough to enter this config just yet.

I can't schedule a reload as a backup because of the primary/secondary failover.

We have an out of band lantronix terminal server providing serial access. What I am unclear about is whether serial access would be possible in the event I get locked out.

I haven't included an aaa authentication serial command above - would that mean that serial connections could be made using the LOCAL priv 15 user to assist with rollback? This is the part I am unsure about. I would like to play this as safe as possible, even though I am about 90% sure the above would work as intended as I have tested this on a standalone 5512. I was also successfully able to test LOCAL fall back by changing the ISE Object for the test firewall to an incorrect IP.

--------------------------------------

existing radius config (if it would be helpful to share any other parts of the config please let me know)

aaa-server RADIUS-GROUP protocol radius
aaa-server RADIUS-GROUP (inside) host YY.YY.YY.YY
aaa-server RADIUS-GROUP (inside) host YY.YY.YY.YY
user-identity domain DOMAIN-NAME aaa-server DOMAIN-NAME.LOCAL
user-identity ad-agent aaa-server CCDA
aaa authentication http console RADIUS-GROUP LOCAL
aaa authentication ssh console RADIUS-GROUP LOCAL

Any advice gratefully received.

Re: Configuring TACACS+ on ASA5525 with CIsco ISE for AAA

Francesco Molino — Fri, 29 Jun 2018 04:25:50 GMT

You're configuration looks good.

If you don't issue anything regarding serial console, it'll use local database.

Don't forget to configure the password and enable password field for your user on ISE.

You should be good with this config.

Re: Configuring TACACS+ on ASA5525 with CIsco ISE for AAA

antonypaul — Sat, 30 Jun 2018 09:31:59 GMT

Thanks Francesco - relieved you don't see anything amiss with the config!

Re: Configuring TACACS+ on ASA5525 with CIsco ISE for AAA

Francesco Molino — Sat, 30 Jun 2018 16:58:48 GMT

Yeah that's correct. your config looks ok

topic Re: Configuring TACACS+ on ASA5525 with CIsco ISE for AAA in Network Access Control

Configuring TACACS+ on ASA5525 with CIsco ISE for AAA

Re: Configuring TACACS+ on ASA5525 with CIsco ISE for AAA

Re: Configuring TACACS+ on ASA5525 with CIsco ISE for AAA

Re: Configuring TACACS+ on ASA5525 with CIsco ISE for AAA