Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
3
Replies

Two questions about Tacacs: Local Password handling and log anonymization

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎01-29-2018 02:35 AM

Hi all,


my customer is looking to deploy ISE for device administration and got two questions:

1) They want to use the local database as an idendity store. Now the question came up about  password handling for local users. The question here is if ISE has some kind of self-service portal where the local user could change/manage her/his password. I am  not aware about such a portal. The only posbillity I am aware of is the usage of tacacs+ password change to do that or to use the mydevices-portal to build workaround. Am I correct?

2) Customer is asking if it is possible to anonymize TACACS accounting to hide which user actually did made a change?

Thanks in advance.

Roland

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vrostowsky

‎01-29-2018 07:31 AM

You can use my device or sponsor portal for password change portal

https://communities.cisco.com/thread/73087?start=0&tstart=0&mobileredirect=true

View solution in original post

0 Helpful
3 Replies 3

Go to solution
vrostowsky
Level 5
Level 5

‎01-29-2018 07:18 AM

Rolland-

as for your questions, there is no "portal" to change passwords, but int ISE 2.x there are settings to allow pw changes via CLI.  You will find them under the "Device Administration" workcenter (TACACS) then go to settings.

The changes made by each account, can only be abused if users share their passwords.  as for the changes, these are the aaa accounting that records every change

aaa accounting exec ISE-LOCAL start-stop group TACACS

aaa accounting commands 0 ISE-LOCAL start-stop group TACACS

aaa accounting commands 15 ISE-LOCAL start-stop group TACACS

these will capture the whole session as well as the changes.  I use a syslog server to collect all these events, bu tyou can also see them in the log buffer.

HTH-

Vince

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vrostowsky

‎01-29-2018 07:31 AM

You can use my device or sponsor portal for password change portal

https://communities.cisco.com/thread/73087?start=0&tstart=0&mobileredirect=true

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vrostowsky

‎01-29-2018 07:41 AM

Best to ask separate questions so we can manage them and mark accordingly

I don’t think you can anonymize tacacs It defeats the purpose of tracking who and what is done on a new device can you please explain the use case

0 Helpful
Customers Also Viewed These Support Documents