cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2521
Views
0
Helpful
2
Replies

ISE TACACS Proxy authorization profile for different devices

phaaring
Level 1
Level 1

Hi,

 

Our customer has a local ISE for TACACS Authentication and want to proxy TACACS traffic to a central ISE deployment. Basically, this works fine at the moment for Cisco switches.

 

Switch –> Local ISE TACACS proxy -> Central ISE TACACS (via NAT)

 

In this case the central ISE TACACS give the right command set and shell profile for switches.

 

But now we want to add other devices (like Cisco Prime) that require a different command set and shell profile. But on the central ISE TACACS all device (switch/prime) specific attributes as hostname, IP or device group are not available, they replaced with the NAT address of the TACACS proxy source (local ISE TACACS), so its not possible to separate switch authentication requests from prime authentication request to give the required result per device or device group.

 

A solution for this issue should be to use the authentication rules on the local ISE TACACS proxy based on a permit received from the Central ISE TACACS.

This option is available for RADIUS proxy and is called: “On Access-Accept, continue to Authorization Policy” under de menu “RADIUS Server Sequence – Advanced Attribute settings”.

But for TACACS proxy this option is not available.

 

Please can someone help us with this issue?

 

 

2 Replies 2

hslai
Cisco Employee
Cisco Employee

Why not simply to use the local ISE for the other devices?

Hi,

 

Good question. The local ISE is customer's, the central ISE is from the netwerk management party. Both are connected with a different AD for user authentication. Both patries do not want to connect their own ISE with the other parties AD.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: