Solved: Re: Access rights on TACACS+ on ISE based on specific products

mokabbar · ‎03-21-2017

Team,

My customer has 2 times, one for networking handling routing, switching and so on and another team which is security team that handles the firewalls.

The customer wants to provide a kind of role based access meaning they want the security team to check the AAA logs of the ASA and the networking team to have only the AAA logs for the switches

Is this possible?

Please advise

ldanny · ‎03-21-2017

If your reffering to authc and authz based on AD groups then yes.

Heres in example:

Configure ISE 2.0: IOS TACACS+ Authentication and Command Authorization based on AD group membership - Cisco

View solution in original post

ldanny · ‎03-21-2017

Hi,

Yes it is.

This should give you some good examples and best practice.

ISE Device Administration (TACACS+)

mokabbar · ‎03-21-2017

Hi Danny,

Thanks for your reply

I was really referring to a kind of multi-tenancy, I did not find any document from the link you mentioned with this kind of scenario

Please advise

Kind regards,

Mohamad

——————————————

Mohamad Kabbara

Systems Engineer- Levant

JabberCall Me<https://sjc-jabberc-ext.cisco.com/call/89622133@cisco.com?name=Mohamad%20Kabbara>

browser-based video chat

mokabbar · ‎03-21-2017

I think I find it, please check the following link

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.html

the scenario of multi-tenancy where we define like sub companies, please advise if it is correct as per my understanding