Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
53
Views
0
Helpful
1
Replies

Centralized TACACS authentication for various ISE clusters

Mr. Bash
Level 1
Level 1

‎10-10-2024 02:19 PM

Hi all!

My company currently has a TACACS cluster that serves as a primary authentication service for all of our network devices including other ISE clusters for RADIUS or Guest/BYOD services etc.  Currently and historically we have our RADIUS ISE admin GUI/CLI authentication going to our TACACS servers via the RADIUS protocol [Radius Token ID Source], we also had local admin groups populated with active directory usernames that were allowed to make changes or view the ISE config etc.  

So if I go to login to our RADIUS ISE cluster my authentication will show up on our "TACACS" servers RADIUS logs.   

What we are wanting to do is to get rid of the locally defined admin groups and define a few Active Directory groups whose members can either view or change our ISE environment.   So I guess I'm looking for a resource that will show me what I need to configure, both on my production ISE [RADIUS] clusters AND on the ISE TACACS authentication side to allow us to control logins via AD groups.   To put it another way, I want my TACACS cluster to proxy the authentications for all other ISE clusters [administrative access] using active directory group membership and not leveraging local accounts or groups as much as possible.   Thanks for any help.

 

I'm pretty sure I'll need to change the login identity source to Active Directory [on the various ISE clusters] but I'm not sure what else needs to be configured to make this work.   

 

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎10-10-2024 03:42 PM

In addition to what you said in your last sentence, once you have done that, you need to define the Data and Menu Access Permissions (for RBAC) - there are pre-defined Super Admin Menu and Super Admin Data you can re-use to replicate the admin RBAC.

Then you define a new Admin Group that references the AD Group you want to use (assuming you imported it already under the External Identity Sources).

Then under RBAC Policies, you create a new RBAC Policy that ties the Group to the Menu/Data. Rinse and repeat for other AD Groups (if required)

0 Helpful
Customers Also Viewed These Support Documents