You mean onboard via day 0 template? The network devices are already in network heirarchy so I am not onboarding new devices to dnac..

devices were added via discovery without device controllability or telemetry turned on. I can provision commands using template hubs so there is no problem there.  

I noticed you use aaa authentication login VTY_authen group dnac-network-tacacs-group local vs aaa authentication login default group tacacs+ local enable.. looks like they do the same thing? Authorizes EXEC sessions on VTY lines using the TACACS+ server group, with local fallback if authenticated. -> does this directly put the user to priv 15 or just allows user to issue enable command? same with this aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated and aaa authorization exec default local commands..

What are you trying to do with these commands below?

aaa authorization commands 0 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 1 VTY_author group dnac-network-tacacs-group if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group if-authenticated

aaa authorization configuration VTY_author group dnac-network-tacacs-group

Maybe for now I'll just focus on setting up tacacs for our network engineers to login to vty lines using tacacs, can issue enable command and falling back to local auth if tacacs server is unvailable... would I be able to accomplish that if I took snippets from your config? Thanks so much

I'll tackle each question below:

"I noticed you use aaa authentication login VTY_authen group dnac-network-tacacs-group local vs aaa authentication login default group tacacs+ local enable.. looks like they do the same thing"

DNAC makes use of 'method lists' (the VTY_authen  is a method list) - it's like a tag that links the "line vty/con/aux" configs to individual aaa statements. It can be hard to read, and by default, IOS doesn't use them - the "line vty/con/aux" implicitly use no method lists - hence, in the aaa statements, you refer to that as 'default'.  DNAC doesn't give you a choice when you provision devices, and if those devices are in the Network Hierarchy that contains RADIUS/TACACS+ settings - those are pushed to the device being provisioned - along with anything else that applies at that Hierarchy (such as DNS, NTP, Timezone, MOTD, etc.)

The very last argument in the aaa command (either 'local' or 'enable') tells the IOS what happens when the aaa servers are not responding:

• local - authenticate using a local account (username/password) that exists on the device
• enable - authenticate using the enable password on that device

The aaa authorization exec tells you what happens AFTER authentication step, and takes the PrivLvl from the AAA server response. If ISE returns '1' then you end up on the '>' prompt and need to elevate using the enable X command.  I don't recall what happens next, because I don't use the enable mode of working - but I think the IOS will request aaa authentication to the server to request the elevation.  Like I said, I issue Priv15 to everyone, and then just lock down the commands that each role (SuperAdmin, JuniorAdmin, ReadOnly) can perform.

aaa authorization commands X tells IOS that while you are in the exec shell, EVERY command you issue (that is associated with a priv level ... 0,1,15 etc) will cause an aaa request to the server - that is how ISE can control what command each user can, and cannot issue.  But some commands don't relate to a priv level - I have never seen this list, but I think commands like "who" don't cause a aaa event.  

My recommendation is to do some testing in a lab. If you have a lab ... Cisco CML or GNS3/Eve-NG and an ISE node then you can test all these scenarios. If not, then take one IOS device that you can always reach physically (console cable) and have a play with all of these options.

Hi Arne

Makes perfect sense, I dont have ISE, I have aruba clearpass tacacs+ it can pass any privilege level but I’m not sure how I can replicate locking down commands on a per role basis and if copying your command auth statements will work..

line vty 0 15

privilege 15 <<- this make use only Authc by ClearPass and if it success authc it will get level15 
session-timeout 15
exec-timeout 15 0
logging synchronous
transport input telnet ssh

that doesnt matter I think as aruba clearpass can pass priv 15 under enforcement profiles->priv level->selected services=shell

But you dont config 

Authz exec under vty so vty not use priv send by tacacs

MHM

AAA is a client server protocol. That means, the server (ISE/Clearpass) does nothing, until a client (e.g. IOS) sends a request to it. Therefore, the client needs certain config (I have provided you what DNAC pushes to Catalysts, plus some additional commands), and the Server needs config. But we have not discussed the Server config. Since this is a Cisco forum, I won't go into how Clearpass is configured - you can research that on Airheads.  I have configured both and I find the Aruba more complex to configure than ISE. But they do the same thing.

TACACS+ happens in three distinct AAA stages - Authentication, Authorization, Accounting.

When user logs into IOS and presses enter on the username+password, the IOS sends Authentication request to the server. Server checks only the Username and Password - it sends back a simple 'Yes'. / 'No'

Once that is done, if it was a 'Yes', the IOS will have authenticated the user. But the user is not on the CLI yet - IOS performs authorization for the exec (CLI shell). IOS will ask the server to authorize that user - because I have an ISE Authorization Rule that says what a SuperAdmin priv level is, when I login, ISE returns this: (there are many different attributes, but these are the basic ones I return:) -and by the way, I return this for other users too, like Read-Only users. More on that later ...

Now the user is on the '#' prompt.

What happens next, depends on how you have configured your IOS. Do you want EVERY command to be authorized as well?  If yes (e.g. for RBAC reasons), the IOS "aaa authorization commands" do just that - but - it must be done for every priv level possible. In my experience, even though you are authorized to priv15, some commands you enter, are lower priv - therefore, to catch those, cater for priv0,1,15 commands.

Going back to ISE config, in the TACACS+ Policy Set I made two Authorization scenarios - super admins, and readonly admin - here is what it looks like in ISE (Clearpass does the same thing, but looks different)

The Command Set configs in ISE show what my Read-Only user gets

When I login as the user 'arne', my experience is as follows

And you can see ISE is authorizing every command I type

To prove my point about Priv0 and Priv1 being required to make this work, I removed the following commands from the IOS

Remember that I am still in Priv 15

But since I am no longer authorizing the priv0/1 commands, I can suddenly issue them as user 'arne', even though my TACACS+ server has rules to not allow this - the reason is simple - IOS no longer makes those requests to the server. The command 'who' is not allowed in my TACACS+ server, but the user can now execute it:

Command authorization has less to do with what Priv Level I gave the user, but it's more concerned with what Priv Level the command is, that I have just entered into the shell.  I have yet to see a complete listing (or a command in IOS) that shows what priv level is needed for which command.

test, test, and then test again!