Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
0
Helpful
5
Replies

TACACS+ is it possible to have different password policys?

Go to solution
craiglebutt
Level 4
Level 4

‎08-31-2018 05:40 AM

We use Solarwinds to back up all our Core & Edge Network, this currently uses a account setup on ACS TACACS.

 

About to migrate ISE TACACS, but our security office wants us to change the password profile.

From what I can see, setting this profile to force password change ever so often will cause us issues with Solarwinds if no one remembers to change it.

 

Is it possible to crate 2 groups with different profiles for the TACACS account?

 

Can't use a local account, as that will only work if TACACS is not available.


Using ISE 2.2 P9

 

 Cheers

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-31-2018 06:41 AM

How about if you make the SolarWinds account local on the ISE server?

 

Check for both user identity on ISE and AD when authenticating and authorizing. Either match works.

 

ISE only has SolarWinds in the group (and maybe a backup network admin).

 

AD is your network admins and they follow the AD password policy.

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to craiglebutt

‎08-31-2018 07:30 AM

Why wouldn't a local account work in ISE?  Also, to help with your security concerns whether you use AD or a local account you should be locking that SolarWinds account to only being used from the Solarwinds IP.  That prevents misuse of that account (yes I know someone could SSH from the Solarwinds server using that account if they are really trying to hide what they are doing).

 

Any management service account rule I build in ISE said:

 

If username = service account and TACACS Remote Address equals the IP of the management server then give it the required access.

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-31-2018 05:56 PM - edited ‎08-31-2018 05:58 PM

Both Marvin and Paul provided valuable inputs. Adding to theirs,

ISE internal user password policy and account disable policy are both global only. However, each of the internal users may have its own password type, selecting from either internal users or one of the configured external ID sources. If using an external source for the password type, then it follows the password policy of the external source.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-31-2018 06:41 AM

How about if you make the SolarWinds account local on the ISE server?

 

Check for both user identity on ISE and AD when authenticating and authorizing. Either match works.

 

ISE only has SolarWinds in the group (and maybe a backup network admin).

 

AD is your network admins and they follow the AD password policy.

0 Helpful

Go to solution
craiglebutt
Level 4
Level 4
In response to Marvin Rhoads

‎08-31-2018 07:21 AM

HI

 

Already thought of that, issue is we lose who has control over the network as people with Domain Admin level can add people with out letting us know.

 

cheers

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to craiglebutt

‎08-31-2018 07:30 AM

Why wouldn't a local account work in ISE?  Also, to help with your security concerns whether you use AD or a local account you should be locking that SolarWinds account to only being used from the Solarwinds IP.  That prevents misuse of that account (yes I know someone could SSH from the Solarwinds server using that account if they are really trying to hide what they are doing).

 

Any management service account rule I build in ISE said:

 

If username = service account and TACACS Remote Address equals the IP of the management server then give it the required access.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to craiglebutt

‎08-31-2018 07:49 AM

If you can't trust your domain admins then you have a bigger problem that ISE can solve. :)

 

You could stand up an AD or LDAP server that the network team manages which is used only as an external identity store.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-31-2018 05:56 PM - edited ‎08-31-2018 05:58 PM

Both Marvin and Paul provided valuable inputs. Adding to theirs,

ISE internal user password policy and account disable policy are both global only. However, each of the internal users may have its own password type, selecting from either internal users or one of the configured external ID sources. If using an external source for the password type, then it follows the password policy of the external source.

0 Helpful
Customers Also Viewed These Support Documents