Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1085
Views
1
Helpful
0
Replies

Cisco ISE Device Administration using TACACS+ with Active Directory.

Karan Belani
Level 1
Level 1

‎10-12-2024 02:12 AM - edited ‎10-12-2024 02:14 AM

In this lab, I will demonstrate how to configure device administration on Cisco IOS using Cisco ISE and Microsoft Active Directory.
Lab topology:

KKZ_0-1728723772197.png

Here, Winserver is my AD server and vIOS is my default gateway.

PART 1:
Joining Cisco ISE with Active Directory or Configuring AD in Cisco ISE.
Step 1:

KKZ_1-1728723772200.png
Go into Work Centers>Device Administration>Ext Id Sources.
Click on Ext Id Sources.

Step 2: Click on Active Directory> Add

KKZ_2-1728723772202.png
After clicking you will be required to give the Join Point Name you can name it anything you want.
In the Active Directory Domain, provide the domain name of your AD.
Note: Make sure the DNS server you have configured for ISE can resolve the domain name of your AD server; otherwise, it won’t be able to join AD.

Step 3: Click on Yes to join the Active Directory Domain and insert the admin account of your AD.

KKZ_3-1728723772205.png

KKZ_4-1728723772208.png

KKZ_5-1728723772211.png
Step 4: Retrieve the user groups from the AD that you want to use for Device Administration

KKZ_6-1728723772214.png
 Click on Select Groups from the directory and then retrieve groups to retrieve all the groups that are present in the AD.

KKZ_7-1728723772219.png
Here I have created 2 groups in AD 1. Employees and 2. Contractors
Employees will have full admin access rights to the networking devices and Contractors will have read-only access to the networking devices.

KKZ_8-1728723772222.png


Here, the first step of adding the AD to Cisco ISE is completed.

PART 2:
Configuring Device Administration on Cisco ISE.

Step 1:
Enable Device Admin Services on Cisco ISE.
Go to Administration>System>Deployment>Ise(If it is in standalone)>Enable Device Admin Service.
This will enable the Device Admin Service on Cisco ISE.

KKZ_9-1728723772225.png

KKZ_10-1728723772227.png


Alternatively, you can enable Device Admin Service by going to
Work Centers>Device Administration>Deployment

KKZ_11-1728723772229.png
You can click on All policy service nodes or you can select nodes by specifying the nodes.

Step 2:
Adding Network Devices on Cisco ISE
Go to Work Centers>Device Administration>Network Resources>Network Devices>Add
Fill in the required details of your target network device that you want to add and tick on TACACS Authentication settings.

KKZ_12-1728723772231.png

KKZ_13-1728723772234.png
Remember the Shared Secret key as it would be used to add on the router while configuring AAA.
Click Submit.

KKZ_14-1728723772235.png
Step 3:
Create a TACACS Profile for assigning privilege levels to the Users.
Navigate to Work Centers>Device Administration>Policy Elements>Results>TACACS Profiles>ADD.
Add the default and maximum privilege level that you want for the users and click submit.
As it is full access I will keep it as 15 so the user will directly start with privilege exec mode(#)

KKZ_15-1728723772237.png
For Read-only users I will keep the default privilege level to 1 and the Maximum privilege levels to 15 so that they will start with User exec mode (>) and then go to privilege exec mode (#) after entering the enable password but they will be limited to only show commands.

KKZ_16-1728723772240.png
Step 4:
Create TACACS Command Set.
Go to Work Centers>Device Administration>Policy Elements>Results>TACACS Command Sets>ADD.

KKZ_17-1728723772242.png
Just click on “Permit any command that is not listed below” and then submit.
This will allow all the commands for the administrator.
Now let’s see how to limit the access to only show commands.

KKZ_18-1728723772243.png
The * sign after show indicates that the user can use all of the show commands,
If you want to limit the show command to only particular arguments then add the keyword in the Arguments section.
For eg: show ip route, show ip interface brief, show running configuration, etc.

Step 5:
After creating the TACACS profile and command set, it is now time to create a Device Admin Policy Set by merging the TACACS profile and command set.
Navigate to Work Centers>Device Administration>Device Admin Policy Sets
Here I am keeping the Default policy set.
Now click on the View(>) Sign on the far right.

KKZ_19-1728723772245.png
Keep the Authentication policy as it is, unless you want to strictly use your AD for authentication source, then drop down the use and select the AD join name that we created.

KKZ_20-1728723772247.png
Now go into the Authorization policy here we will merge the TACACS Profile and Command sets.

KKZ_21-1728723772250.png
Now add the conditions, Select Device Type, and select All Device Types unless you have created a network device group.

KKZ_22-1728723772253.png

KKZ_23-1728723772255.png

KKZ_24-1728723772257.png
Then add your external ID AD group.
Then add and select the TACACS profile and command set that you want to use and click save, here I am using the full access.

KKZ_25-1728723772258.png
Here are Device Admin configuration is done on the ISE.

PART 3:
Cisco IOS AAA Configuration:

On Cisco IOS We have to create the AAA Server group and add the Authentication, Authorization, and Accounting Commands.
Note: “//” Stands for comments do not use it in actual command.
Step 1:
Adding the ISE server and creating the AAA server group

EDGEROUTER(config)#aaa new-model    // To enable AAA services
EDGEROUTER(config)#tacacs server ise   //Create a server named ise, you can give any name
EDGEROUTER(config-server-tacacs)#address ipv4 192.168.2.10  // your ISE server address
EDGEROUTER(config-server-tacacs)#key Cisco123  // Shared Key that you added in Cisco ISE Network Devices
EDGEROUTER(config-server-tacacs)#exit
EDGEROUTER(config)#aaa group server tacacs+ isegroup  // create a tacacs+ group, you can give any name
EDGEROUTER(config-sg-tacacs+)#server name ise  //add the ise server that we created above.

Step 2:
After adding the ISE server and group, now it's time to configure Authentication, Authorization, and Accounting on IOS.

Authentication:
Here I am using the default method which applies to line it instead of manually adding the authentication method in line vty
EDGEROUTER(config)#aaa authentication login default group tacacs+ local // uses tacacs+ group that we created and if it fails then it goes for local credentials
EDGEROUTER(config)#aaa authentication enable default group tacacs+ enable //Authentication for enable password

Authorization:
EDGEROUTER(config)#aaa authorization exec default group tacacs+ local //used for privilege level authorization
EDGEROUTER(config)#aaa authorization config-commands //used for configuration commands authorization
EDGEROUTER(config)#aaa authorization commands 1 default group tacacs+ local //used for privilege level command authorization, which privilege level has access to what commands.
EDGEROUTER(config)#aaa authorization commands 15 default group tacacs+ local

Accounting:
EDGEROUTER(config)#aaa accounting exec default start-stop group tacacs+ //accounting for privilege level
EDGEROUTER(config)#aaa accounting commands 15 default start-stop group tacacs+ //accounting for commands
EDGEROUTER(config)#aaa accounting commands 1 default start-stop group tacacs+

Part 4:
Verification

KKZ_26-1728723772260.png
After entering the correct credentials I got access to the router.
To check for logs on ISE Operations>TACACS Live Logs

KKZ_27-1728723772262.png

KKZ_28-1728723772265.png
For users with read-only access:

KKZ_29-1728723772266.png
Command authorization failed as I have not allowed this command in the command sets for read-only users.

KKZ_30-1728723772269.png

 

0 Replies 0
Customers Also Viewed These Support Documents