cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
797
Views
5
Helpful
1
Replies

TACACS Proxy with ISE and separate authorization and authentication

lcruz2
Cisco Employee
Cisco Employee

My customer has his network devices being managed by an MSP. However, they still want to have a read-only access to all devices. We are wondering how this can be done with TACACS in ISE.

 

The scenario looks like this

 

Switch ----- ISE-MSP ---- ISE-CUSTOMER --- CUSTOMER-AD

 

Between the Switch and ISE-MSP, we are using TACACS to authenticate xxx@MSP.com users for network management

 

We would like to xxxx@customer.com users authenticate against the customer AD. However how can the MSP enforce a set of commands or privilege level? In Proxy mode, is there a way to make sure ISE-MSP either authorizes the commands or enforces a privilege level?

 

The MSP does not trust the customer will do the enforcing on ISE-CUSTOMER. Enforcement has to be done either on the switch or ISE-MSP. How can we achieve this?

 

The customer was thinking of splitting Authentication and Authorization steps in two different systems, but I don't think this can be done. Could a mix of TACACS from switch to ISE-MSP and Radius from ISE-MSP to ISE-CUSTOMER allow for this?

 

Basically what we are looking for:

  • MSP manages authC and AuthZ to switches
  • MSP manages his own users authentication
  • MSP enforces read-only access for Customer
  • CUSTOMER manages his own users authentication
  • No link between ISE-MSP and Customer-AD allowed
1 Reply 1

paul
Level 10
Level 10

I haven't tried this before, but can you setup the customer ISE as a RADIUS token proxy and use that as a Identity source in the TACACS rules.  It would be the same as doing an MFA solution so it should work.

 

Their authentication policy would look like:

   if username ends with @customer.com then send to RADIUS token server definition for the customer ISE deployment

   else send to MSP AD

 

Then in authorization

  if username ends with @customer.com then assign read-only access

  else assign access based on MSP AD group membership

 

When you use a RADIUS token server you just get an accept/deny back which is all the MSP needs.  Basically they are asking the customer ISE deployment "Is this username/password correct?"

 

On the customer ISE deployment they would define a policy set for requests sourced from the MSP ISE deployment.  Basically define a device type MSP PSN and then add the MSP PSNs in as network devices.  Setup a device type condition for the MSP PSN device type and use that for the policy set.  Then the customer can check AD and do whatever groups they want to allow access to the MSP managed routers.