Solved: Specify TACACS console / SSH access in ISE authorization policies

SMD28316 · ‎03-09-2022

Is it possible to specify an authorization policy for TACACS users that are authenticating via Console or SSH methods?

Arne Bier · ‎03-10-2022

@SMD28316 - you should also consider how you configure the switch's "line console" and "line vty" and apply the appropriate Method Lists (Authentication List and Authorization List). This tells the switch exactly how to engage AAA for login, exec authZ and command authZ. For example, you could tell the switch to only perform authentication via TACACS on the console, but not exec or command authZ.

ISE should not care whether the request came from a vty (ssh) or a pty (console) - but you can of course filter that out in ISE during Authentication/Authorization if needed.

View solution in original post

Marvin Rhoads · ‎03-09-2022

Yes, of course. That's one of the core features of the TACACS server feature in ISE.

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

Arne Bier · ‎03-10-2022

@SMD28316 - you should also consider how you configure the switch's "line console" and "line vty" and apply the appropriate Method Lists (Authentication List and Authorization List). This tells the switch exactly how to engage AAA for login, exec authZ and command authZ. For example, you could tell the switch to only perform authentication via TACACS on the console, but not exec or command authZ.

ISE should not care whether the request came from a vty (ssh) or a pty (console) - but you can of course filter that out in ISE during Authentication/Authorization if needed.