Solved: TACACS Profile Questions for Third-Party Equipment Using ISE

CCC3 · ‎01-11-2024

Using ISE, we want to set up TACACS not only for CISCO equipment but also for third-party equipment.

I'm trying to create a TACACS profile
I understand that each vendor has an attribute value to set up TACACS on the ISE.

If I put various attribute values in one profile, can I set up TACACS of third-party equipment with just one profile?

When I put in the juniper attribute value, I thought TACACS would be set for both the juniper and cisco equipment because the cisco equipment did not have a separate attribute value.

The juniper equipment was applied, but the cisco equipment only showed the authentication success log in the live log, and the actual cli was not accessible.

Please give me some advice regarding this.

ahollifield · ‎01-16-2024

No, you one per vendor. Use network device groups (or whatever mechanism you like) to ensure only Cisco attributes are sent to Cisco devices, only Juniper to Juniper devices, etc.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

View solution in original post

ahollifield · ‎01-12-2024

I'm not sure I'm following your question but you should use network device groups to differentiate within the Device Admin Policy. By matching on those NAD groups, you can ensure that Juniper attributes are only sent to Juniper NADs and Cisco attributes are only sent to Cisco devices.

MHM Cisco World · ‎01-12-2024

So you want to use ISE for both juniper and cisco admin authc and authz ?

MHM

hslai · ‎01-13-2024

> If I put various attribute values in one profile, can I set up TACACS of third-party equipment with just one profile?

No. As different vendors expect different sets of attributes, we need separate profiles for them. Cisco ISE Device Administration Prescriptive Deployment Guide would be a good start point in understanding how TACACS+ works.

CCC3 · ‎01-14-2024

Thank you for your answer.

If you set it up like the attached picture

The juniper equipment has tacacs set and the cisco equipment has no attribute value, so I think the cisco equipment will be set as well

Does that mean it isn't?

ahollifield · ‎01-16-2024

Where is the policy in which is this result is called? Do both Juniper and Cisco devices hit this rule?

CCC3 · ‎01-16-2024

What I'm just curious about is whether it is possible to set tacacs on third-party equipment with that profile if you put attribute values for multiple third-party equipment (Juniper, Altheon, F5,etc) in one tacacs profile.

ahollifield · ‎01-16-2024

No, you one per vendor. Use network device groups (or whatever mechanism you like) to ensure only Cisco attributes are sent to Cisco devices, only Juniper to Juniper devices, etc.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

CCC3 · ‎01-16-2024

This means that you have to use one tacacs profile for each vendor.

Do you know what will happen if you put multiple third-party equipment attribute values in one profile like my question?

ahollifield · ‎01-16-2024

It depends on the network device. Some devices just ignore them and work fine if they are given at least one correct attribute. Others will fail to authenticate the admin user completely.

CCC3 · ‎01-16-2024

Do you have any information about some of the equipment you mentioned?

MHM Cisco World · ‎01-16-2024

I think this issue of attribute'

The cisco use specific attributes for login and this is different for other vendor.

I am out home now' you can check this point and when I retrun back and make more seach and update you.

Thanks

MHM

MHM Cisco World · ‎01-16-2024

important attribute is service-type which I think Juniper use standard
and other VSA check below

https://supportportal.juniper.net/s/article/Configuration-Example-How-to-assign-a-login-class-to-users-that-are-authenticated-using-a-FreeRADIUS-server?language=en_US

MHM