cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

102
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

Two questions about Tacacs: Local Password handling and log anonymization

Hi all,


my customer is looking to deploy ISE for device administration and got two questions:

1) They want to use the local database as an idendity store. Now the question came up about  password handling for local users. The question here is if ISE has some kind of self-service portal where the local user could change/manage her/his password. I am  not aware about such a portal. The only posbillity I am aware of is the usage of tacacs+ password change to do that or to use the mydevices-portal to build workaround. Am I correct?

2) Customer is asking if it is possible to anonymize TACACS accounting to hide which user actually did made a change?

Thanks in advance.

Roland

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

You can use my device or sponsor portal for password change portal

https://communities.cisco.com/thread/73087?start=0&tstart=0&mobileredirect=true

View solution in original post

3 REPLIES 3
Highlighted
Contributor

Rolland-

as for your questions, there is no "portal" to change passwords, but int ISE 2.x there are settings to allow pw changes via CLI.  You will find them under the "Device Administration" workcenter (TACACS) then go to settings.

The changes made by each account, can only be abused if users share their passwords.  as for the changes, these are the aaa accounting that records every change

aaa accounting exec ISE-LOCAL start-stop group TACACS

aaa accounting commands 0 ISE-LOCAL start-stop group TACACS

aaa accounting commands 15 ISE-LOCAL start-stop group TACACS

these will capture the whole session as well as the changes.  I use a syslog server to collect all these events, bu tyou can also see them in the log buffer.

HTH-

Vince

Highlighted

You can use my device or sponsor portal for password change portal

https://communities.cisco.com/thread/73087?start=0&tstart=0&mobileredirect=true

View solution in original post

Highlighted

Best to ask separate questions so we can manage them and mark accordingly

I don’t think you can anonymize tacacs It defeats the purpose of tracking who and what is done on a new device can you please explain the use case