cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2305
Views
1
Helpful
4
Replies

Access rights on TACACS+ on ISE based on specific products

mokabbar
Cisco Employee
Cisco Employee

Team,

My customer has 2 times, one for networking handling routing, switching and so on and another team which is security team that handles the firewalls.

The customer wants to provide a kind of role based access meaning they want the security team to check the AAA logs of the ASA and the networking team to have only the AAA logs for the switches

Is this possible?

Please advise

1 Accepted Solution

Accepted Solutions

4 Replies 4

ldanny
Cisco Employee
Cisco Employee

Hi,

Yes it is.

This should give you some good examples and best practice.

ISE Device Administration (TACACS+)

Hi Danny,

Thanks for your reply

I was really referring to a kind of multi-tenancy, I did not find any document from the link you mentioned with this kind of scenario

Please advise

Kind regards,

Mohamad

——————————————

Mohamad Kabbara

Systems Engineer- Levant

JabberCall Me<https://sjc-jabberc-ext.cisco.com/call/89622133@cisco.com?name=Mohamad%20Kabbara>

browser-based video chat

I think I find it, please check the following link

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.html

the scenario of multi-tenancy where we define like sub companies, please advise if it is correct as per my understanding

Kind regards,

Mohamad

——————————————

Mohamad Kabbara

Systems Engineer- Levant

JabberCall Me<https://sjc-jabberc-ext.cisco.com/call/89622133@cisco.com?name=Mohamad%20Kabbara>

browser-based video chat

If your reffering to authc and authz based on AD groups then yes.

Heres in example:

Configure ISE 2.0: IOS TACACS+ Authentication and Command Authorization based on AD group membership - Cisco