Solved: TACACS+ devices administration

mdjan · ‎10-11-2017

Hello guys, We try to manage all our pack equipements with Cisco ISE(TACACS+). We have already done some Cisco devices (routers and switches) configuration and it's good. But we don't know how to configure client side configuration for TACACS+ for Huawei and Juniper devices.

If someone knows how to configure TACACS+ on these devices, it will be grateful for me.

Thank for the help.

Arne Bier · ‎10-11-2017

I have configured a Juniper device in ISE 2.2. In the ISE TACACS Profile, under Common Tasks, Select 'Generic' and then manually add a MANDATORY custom attribute, where the name is local-user-name and the value is whatever you have configured on the Juniper.

If you click on the Raw View tab, you should see

local-user-name=adminxyz

TACACS is pretty universal and the Generic method allows you to craft just about any reply to the client. Best to check the vendor documentation. I had to do the same for Aruba Wireless, which is completely different again. And HPE switches - again, different. Always check the documentation. Cisco only has nice TACACS profiles for its own devices (WLC/Nexus/etc.) ;-) But even those are not exhaustive examples of Cisco TACACS config.

I think one thing in ISE should be documented/explained better - and that is the TACACS Single Connect Mode under the Network Devices settings (where you add all your NAS's). I have run into trouble with Aruba Controllers when using the option " TACACS Draft Compliance Single Connect Support". Aruba complained about the length of the packet. I had to switch to the "Legacy Cisco Device" mode. Go figure. And all the while I had 'Enable Single Connect Mode' enabled. I don't know if that is a clever option, but for the web GUI access to an Aruba controller it seems to work well.

View solution in original post

Arne Bier · ‎10-11-2017

I have configured a Juniper device in ISE 2.2. In the ISE TACACS Profile, under Common Tasks, Select 'Generic' and then manually add a MANDATORY custom attribute, where the name is local-user-name and the value is whatever you have configured on the Juniper.

If you click on the Raw View tab, you should see

local-user-name=adminxyz

TACACS is pretty universal and the Generic method allows you to craft just about any reply to the client. Best to check the vendor documentation. I had to do the same for Aruba Wireless, which is completely different again. And HPE switches - again, different. Always check the documentation. Cisco only has nice TACACS profiles for its own devices (WLC/Nexus/etc.) ;-) But even those are not exhaustive examples of Cisco TACACS config.

I think one thing in ISE should be documented/explained better - and that is the TACACS Single Connect Mode under the Network Devices settings (where you add all your NAS's). I have run into trouble with Aruba Controllers when using the option " TACACS Draft Compliance Single Connect Support". Aruba complained about the length of the packet. I had to switch to the "Legacy Cisco Device" mode. Go figure. And all the while I had 'Enable Single Connect Mode' enabled. I don't know if that is a clever option, but for the web GUI access to an Aruba controller it seems to work well.

TACACS+ devices administration

Re: Duo MFA Integration with ISE for TACACS+ Device Administration wit

ISE - O que precisamos saber sobre TACACS+

Cisco Nexus シリーズ : Radius/Tacacs+ のトラブルシューティング

ISE Device Administration Attributes

Configure APIC for Device Administration with ISE and TACACS+