cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1511
Views
2
Helpful
12
Replies

TACACS Profile Questions for Third-Party Equipment Using ISE

CCC3
Level 1
Level 1

Using ISE, we want to set up TACACS not only for CISCO equipment but also for third-party equipment.

I'm trying to create a TACACS profile
I understand that each vendor has an attribute value to set up TACACS on the ISE.

If I put various attribute values in one profile, can I set up TACACS of third-party equipment with just one profile?

When I put in the juniper attribute value, I thought TACACS would be set for both the juniper and cisco equipment because the cisco equipment did not have a separate attribute value.

The juniper equipment was applied, but the cisco equipment only showed the authentication success log in the live log, and the actual cli was not accessible.

Please give me some advice regarding this.

1 Accepted Solution

Accepted Solutions

No, you one per vendor. Use network device groups (or whatever mechanism you like) to ensure only Cisco attributes are sent to Cisco devices, only Juniper to Juniper devices, etc.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

View solution in original post

12 Replies 12

I'm not sure I'm following your question but you should use network device groups to differentiate within the Device Admin Policy.  By matching on those NAD groups, you can ensure that Juniper attributes are only sent to Juniper NADs and Cisco attributes are only sent to Cisco devices.

So you want to use ISE for both juniper and cisco admin authc and authz ?

MHM

hslai
Cisco Employee
Cisco Employee

> If I put various attribute values in one profile, can I set up TACACS of third-party equipment with just one profile?

No. As different vendors expect different sets of attributes, we need separate profiles for them. Cisco ISE Device Administration Prescriptive Deployment Guide would be a good start point in understanding how TACACS+ works.

 

Thank you for your answer.

If you set it up like the attached picture

The juniper equipment has tacacs set and the cisco equipment has no attribute value, so I think the cisco equipment will be set as well

Does that mean it isn't?

20240115_083528.png

Where is the policy in which is this result is called?  Do both Juniper and Cisco devices hit this rule?

What I'm just curious about is whether it is possible to set tacacs on third-party equipment with that profile if you put attribute values for multiple third-party equipment (Juniper, Altheon, F5,etc) in one tacacs profile.

No, you one per vendor. Use network device groups (or whatever mechanism you like) to ensure only Cisco attributes are sent to Cisco devices, only Juniper to Juniper devices, etc.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

This means that you have to use one tacacs profile for each vendor.

Do you know what will happen if you put multiple third-party equipment attribute values in one profile like my question?

It depends on the network device. Some devices just ignore them and work fine if they are given at least one correct attribute. Others will fail to authenticate the admin user completely.

Do you have any information about some of the equipment you mentioned?

I think this issue of attribute' 

The cisco use specific attributes for login and this is different for other vendor.

I am out home now' you can check this point and when I retrun back and make more seach and update you.

Thanks

MHM