Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2640
Views
0
Helpful
1
Replies

ISE TACACS Proxy authorization profile for different devices

phaaring
Level 1
Level 1

‎03-22-2021 12:45 AM

Hi,

 

Our customer has a local ISE for TACACS Authentication and want to proxy TACACS traffic to a central ISE deployment. Basically, this works fine at the moment for Cisco switches.

 

Switch –> Local ISE TACACS proxy -> Central ISE TACACS (via NAT)

 

In this case the central ISE TACACS give the right command set and shell profile for switches.

 

But now we want to add other devices (like Cisco Prime) that require a different command set and shell profile. But on the central ISE TACACS all device (switch/prime) specific attributes as hostname, IP or device group are not available, they replaced with the NAT address of the TACACS proxy source (local ISE TACACS), so its not possible to separate switch authentication requests from prime authentication request to give the required result per device or device group.

 

A solution for this issue should be to use the authentication rules on the local ISE TACACS proxy based on a permit received from the Central ISE TACACS.

This option is available for RADIUS proxy and is called: “On Access-Accept, continue to Authorization Policy” under de menu “RADIUS Server Sequence – Advanced Attribute settings”.

But for TACACS proxy this option is not available.

 

Please can someone help us with this issue?

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎03-22-2021 08:58 PM

This is a duplicate of ISE TACACS Proxy authorization profile for different devices - Cisco Community

0 Helpful
Customers Also Viewed These Support Documents