Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
0
Replies

Configuring TACACS+ - ASA5525 -> ISE

Antony Paul
Level 1
Level 1

‎06-28-2018 04:50 PM - edited ‎02-21-2020 10:59 AM

Hi,

Hoping to pick your brains about configuring TACACS+ on an ASA 5525 with ISE for aaa

 

Environment:

ASA5525 - 9.8(2)20 active/standby cluster
ISE - 2.1.0.474

 

We currently use RADIUS for aaa and are looking to switch over to TACACS+

Following the Cisco documentation I have cobbled together the below config


------------------------------------------------------------

aaa-server ise-tacacs protocol tacacs+
aaa-server ise-tacacs max-failed-attempts 3

aaa-server ise-tacacs (inside) host xx.xx.xx.xx
key ################

aaa-server ise-tacacs (inside) host xx.xx.xx.xx
key ################

clear configure aaa
aaa authentication ssh console ise-tacacs LOCAL
aaa authentication enable console ise-tacacs LOCAL
aaa authentication http console ise-tacacs LOCAL
aaa authentication secure-http-client

aaa authorization exec authentication-server auto-enable

aaa authorization http console ise-tacacs

aaa authorization command ise-tacacs LOCAL

aaa accounting ssh console ise-tacacs
aaa accounting serial console ise-tacacs
aaa accounting enable console ise-tacacs

-----------------------------------------------------------

Now my main concern is locking everyone out either from authentication or from command authorization. That would be, for want of a better phrase, a resume generating event. Whilst I vaguely understand the aaa authentication commands above I am not so sure of things to feel safe enough to enter this config just yet.

I can't schedule a reload as a backup because of the primary/secondary failover.

We have an out of band lantronix terminal server providing serial access. What I am unclear about is whether serial access would be possible in the event I get locked out.

I haven't included an aaa authentication serial command above - would that mean that serial connections could be made using the LOCAL priv 15 user to assist with rollback? This is the part I am unsure about. I would like to play this as safe as possible, even though I am about 90% sure the above would work as intended as I have tested this on a standalone 5512. I was also successfully able to test LOCAL fall back by changing the ISE Object for the test firewall to an incorrect IP.

--------------------------------------

existing radius config (if it would be helpful to share any other parts of the config please let me know)

aaa-server RADIUS-GROUP protocol radius
aaa-server RADIUS-GROUP (inside) host YY.YY.YY.YY
aaa-server RADIUS-GROUP (inside) host YY.YY.YY.YY
user-identity domain DOMAIN-NAME aaa-server DOMAIN-NAME.LOCAL
user-identity ad-agent aaa-server CCDA
aaa authentication http console RADIUS-GROUP LOCAL
aaa authentication ssh console RADIUS-GROUP LOCAL


Any advice gratefully received.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents