cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

821
Views
0
Helpful
2
Replies
Highlighted
Beginner

AAA Configuration on cisco devices

Dears in community

Can anyone share with me the procedure of AAA configuration on ISE using TACACS+ protocol. specific for switch catalyst 2960 and asa 5505 and 5510.

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

You should understand the TACACS commands below before implementing them so you don't cut yourself off, but here is what I use for ASAs when doing command authorization as well.

username fw-admin password <fw-admin password> privilege 15

!

aaa-server ISE-TACACS protocol tacacs+

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa authentication serial console ISE-TACACS LOCAL

aaa authentication ssh console ISE-TACACS LOCAL

aaa authentication http console ISE-TACACS LOCAL

aaa authorization command ISE-TACACS LOCAL

aaa accounting serial console ISE-TACACS

aaa accounting ssh console ISE-TACACS

aaa accounting command privilege 15 ISE-TACACS

aaa accounting enable console ISE-TACACS

aaa authorization exec authentication-server auto-enable

aaa authorization http console ISE-TACACS

Here is what I use for switches/routers when doing command auth:

aaa new-model

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

aaa group server tacacs+ ISE-TACACS

server name <PSN hostname>

server name <PSN hostname>

ip tacacs source-interface <Source Interface>

!

aaa authentication login default group ISE-TACACS local

aaa authorization exec default group ISE-TACACS if-authenticated

aaa authorization commands 15 default group ISE-TACACS if-authenticated

aaa accounting exec default start-stop group ISE-TACACS

aaa accounting commands 15 default stop-only group ISE-TACACS

Make sure you configure a back door local account. 

View solution in original post

2 REPLIES 2
Highlighted
Advocate

You should understand the TACACS commands below before implementing them so you don't cut yourself off, but here is what I use for ASAs when doing command authorization as well.

username fw-admin password <fw-admin password> privilege 15

!

aaa-server ISE-TACACS protocol tacacs+

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa-server ISE-TACACS (INSIDE) host <IP of PSN>

key <TACACS Key>

aaa authentication serial console ISE-TACACS LOCAL

aaa authentication ssh console ISE-TACACS LOCAL

aaa authentication http console ISE-TACACS LOCAL

aaa authorization command ISE-TACACS LOCAL

aaa accounting serial console ISE-TACACS

aaa accounting ssh console ISE-TACACS

aaa accounting command privilege 15 ISE-TACACS

aaa accounting enable console ISE-TACACS

aaa authorization exec authentication-server auto-enable

aaa authorization http console ISE-TACACS

Here is what I use for switches/routers when doing command auth:

aaa new-model

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

tacacs server <PSN hostname>

key 0 <key>

address ipv4 <PSN IP>

!

aaa group server tacacs+ ISE-TACACS

server name <PSN hostname>

server name <PSN hostname>

ip tacacs source-interface <Source Interface>

!

aaa authentication login default group ISE-TACACS local

aaa authorization exec default group ISE-TACACS if-authenticated

aaa authorization commands 15 default group ISE-TACACS if-authenticated

aaa accounting exec default start-stop group ISE-TACACS

aaa accounting commands 15 default stop-only group ISE-TACACS

Make sure you configure a back door local account. 

View solution in original post

Highlighted
Cisco Employee

Adding to Paul's, see also ISE Device Administration (TACACS+)

Content for Community-Ad