https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4995267#M586295 <P>I'm not sure I'm following your question but you should use network device groups to differentiate within the Device Admin Policy.&nbsp; By matching on those NAD groups, you can ensure that Juniper attributes are only sent to Juniper NADs and Cisco attributes are only sent to Cisco devices.</P> Fri, 12 Jan 2024 14:48:25 GMT ahollifield 2024-01-12T14:48:25Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4994704#M586280 <P>Using ISE, we want to set up TACACS not only for CISCO equipment but also for third-party equipment.</P> <P>I'm trying to create a TACACS profile<BR />I understand that each vendor has an attribute value to set up TACACS on the ISE.</P> <P>If I put various attribute values in one profile, can I set up TACACS of third-party equipment with just one profile?</P> <P>When I put in the juniper attribute value, I thought TACACS would be set for both the juniper and cisco equipment because the cisco equipment did not have a separate attribute value.</P> <P>The juniper equipment was applied, but the cisco equipment only showed the authentication success log in the live log, and the actual cli was not accessible.</P> <P>Please give me some advice regarding this.</P> Thu, 11 Jan 2024 23:48:16 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4994704#M586280 CCC3 2024-01-11T23:48:16Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4995267#M586295 <P>I'm not sure I'm following your question but you should use network device groups to differentiate within the Device Admin Policy.&nbsp; By matching on those NAD groups, you can ensure that Juniper attributes are only sent to Juniper NADs and Cisco attributes are only sent to Cisco devices.</P> Fri, 12 Jan 2024 14:48:25 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4995267#M586295 ahollifield 2024-01-12T14:48:25Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4995270#M586296 <P>So you want to use ISE for both juniper and cisco admin authc and authz ?</P> <P>MHM</P> Fri, 12 Jan 2024 14:51:41 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4995270#M586296 MHM Cisco World 2024-01-12T14:51:41Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4996190#M586330 <P>&gt;&nbsp;If I put various attribute values in one profile, can I set up TACACS of third-party equipment with just one profile?</P> <P>No. As different vendors expect different sets of attributes, we need separate profiles for them.&nbsp;<A href="https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365" target="_self">Cisco ISE Device Administration Prescriptive Deployment Guide</A>&nbsp;would be a good start point in understanding how TACACS+ works.</P> Sat, 13 Jan 2024 19:02:08 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4996190#M586330 hslai 2024-01-13T19:02:08Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4996481#M586334 <P>&nbsp;</P> <P>Thank you for your answer.</P> <P>If you set it up like the attached picture</P> <P>The juniper equipment has tacacs set and the cisco equipment has no attribute value, so I think the cisco equipment will be set as well</P> <P>Does that mean it isn't?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="20240115_083528.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/207308iA3E8722541559CEF/image-size/large?v=v2&amp;px=999" role="button" title="20240115_083528.png" alt="20240115_083528.png" /></span></P> Sun, 14 Jan 2024 23:37:09 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4996481#M586334 CCC3 2024-01-14T23:37:09Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997684#M586369 <P>Where is the policy in which is this result is called?&nbsp; Do both Juniper and Cisco devices hit this rule?</P> Tue, 16 Jan 2024 14:49:10 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997684#M586369 ahollifield 2024-01-16T14:49:10Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997692#M586370 <P>I think this issue of attribute'&nbsp;</P> <P>The cisco use specific attributes for login and this is different for other vendor.</P> <P>I am out home now' you can check this point and when I retrun back and make more seach and update you.</P> <P>Thanks</P> <P>MHM</P> Tue, 16 Jan 2024 15:05:15 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997692#M586370 MHM Cisco World 2024-01-16T15:05:15Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997701#M586373 <P>What I'm just curious about is whether it is possible to set tacacs on third-party equipment with that profile if you put attribute values for multiple third-party equipment (Juniper, Altheon, F5,etc) in one tacacs profile.</P> Tue, 16 Jan 2024 15:12:32 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997701#M586373 CCC3 2024-01-16T15:12:32Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997731#M586376 <P>No, you one per vendor. Use network device groups (or whatever mechanism you like) to ensure only Cisco attributes are sent to Cisco devices, only Juniper to Juniper devices, etc.</P> <P><A href="https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365" target="_blank">https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365</A></P> Tue, 16 Jan 2024 15:45:13 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997731#M586376 ahollifield 2024-01-16T15:45:13Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997737#M586378 <P>important attribute is service-type which I think Juniper use standard&nbsp;<BR />and other VSA check below&nbsp;</P> <P><A href="https://supportportal.juniper.net/s/article/Configuration-Example-How-to-assign-a-login-class-to-users-that-are-authenticated-using-a-FreeRADIUS-server?language=en_US" target="_blank">https://supportportal.juniper.net/s/article/Configuration-Example-How-to-assign-a-login-class-to-users-that-are-authenticated-using-a-FreeRADIUS-server?language=en_US</A></P> <P>MHM</P> Tue, 16 Jan 2024 15:55:16 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4997737#M586378 MHM Cisco World 2024-01-16T15:55:16Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4998035#M586394 <P>This means that you have to use one tacacs profile for each vendor.</P> <P>Do you know what will happen if you put multiple third-party equipment attribute values in one profile like my question?</P> Wed, 17 Jan 2024 02:25:36 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4998035#M586394 CCC3 2024-01-17T02:25:36Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4998055#M586397 It depends on the network device. Some devices just ignore them and work fine if they are given at least one correct attribute. Others will fail to authenticate the admin user completely.<BR /> Wed, 17 Jan 2024 03:02:43 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4998055#M586397 ahollifield 2024-01-17T03:02:43Z https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4998060#M586398 <P>Do you have any information about some of the equipment you mentioned?</P> Wed, 17 Jan 2024 03:27:33 GMT https://community.cisco.com/t5/network-access-control/tacacs-profile-questions-for-third-party-equipment-using-ise/m-p/4998060#M586398 CCC3 2024-01-17T03:27:33Z