Solved: Re: AAA Configuration on cisco devices

CSCO11704570 · ‎09-04-2017

Dears in community

Can anyone share with me the procedure of AAA configuration on ISE using TACACS+ protocol. specific for switch catalyst 2960 and asa 5505 and 5510.

Regards

paul · ‎09-04-2017

You should understand the TACACS commands below before implementing them so you don't cut yourself off, but here is what I use for ASAs when doing command authorization as well.

username fw-admin password <fw-admin password> privilege 15

!

aaa-server ISE-TACACS protocol tacacs+

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa authentication serial console ISE-TACACS LOCAL

aaa authentication ssh console ISE-TACACS LOCAL

aaa authentication http console ISE-TACACS LOCAL

aaa authorization command ISE-TACACS LOCAL

aaa accounting serial console ISE-TACACS

aaa accounting ssh console ISE-TACACS

aaa accounting command privilege 15 ISE-TACACS

aaa accounting enable console ISE-TACACS

aaa authorization exec authentication-server auto-enable

aaa authorization http console ISE-TACACS

Here is what I use for switches/routers when doing command auth:

aaa new-model

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

aaa group server tacacs+ ISE-TACACS

server name <PSN hostname>

ip tacacs source-interface <Source Interface>

!

aaa authentication login default group ISE-TACACS local

aaa authorization exec default group ISE-TACACS if-authenticated

aaa authorization commands 15 default group ISE-TACACS if-authenticated

aaa accounting exec default start-stop group ISE-TACACS

aaa accounting commands 15 default stop-only group ISE-TACACS

Make sure you configure a back door local account.

View solution in original post

paul · ‎09-04-2017

You should understand the TACACS commands below before implementing them so you don't cut yourself off, but here is what I use for ASAs when doing command authorization as well.

username fw-admin password <fw-admin password> privilege 15

!

aaa-server ISE-TACACS protocol tacacs+

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa authentication serial console ISE-TACACS LOCAL

aaa authentication ssh console ISE-TACACS LOCAL

aaa authentication http console ISE-TACACS LOCAL

aaa authorization command ISE-TACACS LOCAL

aaa accounting serial console ISE-TACACS

aaa accounting ssh console ISE-TACACS

aaa accounting command privilege 15 ISE-TACACS

aaa accounting enable console ISE-TACACS

aaa authorization exec authentication-server auto-enable

aaa authorization http console ISE-TACACS

Here is what I use for switches/routers when doing command auth:

aaa new-model

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

aaa group server tacacs+ ISE-TACACS

server name <PSN hostname>

ip tacacs source-interface <Source Interface>

!

aaa authentication login default group ISE-TACACS local

aaa authorization exec default group ISE-TACACS if-authenticated

aaa authorization commands 15 default group ISE-TACACS if-authenticated

aaa accounting exec default start-stop group ISE-TACACS

aaa accounting commands 15 default stop-only group ISE-TACACS

Make sure you configure a back door local account.

hslai · ‎09-05-2017

Adding to Paul's, see also ISE Device Administration (TACACS+)