cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1830
Views
40
Helpful
2
Replies

Specify TACACS console / SSH access in ISE authorization policies

SMD28316
Level 1
Level 1

Is it possible to specify an authorization policy for TACACS users that are authenticating via Console or SSH methods?

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

@SMD28316 - you should also consider how you configure the switch's "line console" and "line vty" and apply the appropriate Method Lists (Authentication List and Authorization List). This tells the switch exactly how to engage AAA for login, exec authZ and command authZ. For example, you could tell the switch to only perform authentication via TACACS on the console, but not exec or command authZ.

ISE should not care whether the request came from a vty (ssh) or a pty (console) - but you can of course filter that out in ISE during Authentication/Authorization if needed.

 

 

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes, of course. That's one of the core features of the TACACS server feature in ISE.

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

Arne Bier
VIP
VIP

@SMD28316 - you should also consider how you configure the switch's "line console" and "line vty" and apply the appropriate Method Lists (Authentication List and Authorization List). This tells the switch exactly how to engage AAA for login, exec authZ and command authZ. For example, you could tell the switch to only perform authentication via TACACS on the console, but not exec or command authZ.

ISE should not care whether the request came from a vty (ssh) or a pty (console) - but you can of course filter that out in ISE during Authentication/Authorization if needed.