Solved: Re: Use ISE local users as fallback for External TACACS

EduardR · ‎10-25-2017

Hi all,

I need to configure ISE to authenticate our users against a cluster of external TACACS Servers (ACS) and with the local users defined in the ISE as a fallback mechanism in case the external servers are unreachable, but I can't find any documentation about this.

I have found how to configure the local authentication for device administration (It is working), and how to configure the proxy sequence authentication for remote TACACS servers (working too), but i don't get how can I use the external TACACS servers (if reachable) and if not use the local users on the ISE.

Have someone managed to configure a similar setting? Any help will be appreciated.

Francesco Molino · ‎10-26-2017

Ok. If you need any further help, let me know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎10-25-2017

Hi

On ISE, you can add an external TACACS server, but you can't do a fallback when the server is down. At least, on version 2.2, there is no such option.
Can you give some details on what you want to achieve? Using ISE as proxy tacacs, it means that all authz and accounting will be returned by ACS to ISE. Is that what you want to do or simply leveraging a local ACS user database?
The thing is when configuring ISE policy-set as proxy sequence you won't be able to manage anything as the remote tacacs server will be the "intelligent" server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

EduardR · ‎10-25-2017

Hi Francesco,

The main idea es keep using our ACS to the authentication but with some type of fallback in case we lost both servers (suppose we lost the local user info too), we just thought that using the ISE as a middle point could help us with that (all devices authenticate versus the ISE and the ISE proxy the authentication to the ACS or to the local user DB).

Now I think the fallback between the AAA servers is easier from the devices using multiple tacacs+ groups, but we got devices from other vendors that did not have that flexibility.

Francesco Molino · ‎10-25-2017

Gotcha. The thing is when ise acting as tacacs proxy it will just forward the request to your acs and rely on acs redundancy. The other thing is to have both servers configured in the switch as you said.

Sorry but i don't have any workaround for you.
If it was just to use acs local user database, you could add an external radius on ise and create an identity sequence with that radius and local user database but you have to configure all your tacacs rules in ISE.

Last question just for curiosity, why don't migrate acs to ise directly?
Even creating 2 policy-set (1 as proxy and 1 as ise identification), your switches authentication will always go to the first match and no redundancy as you expect.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

EduardR · ‎10-26-2017

Well, i think we'll go with the tacacs groups in the aaa configuration of the devices, thank you for the help.

PS: We don't migrate because the ISE and the ACS are in two separate networks with different security requirements, but people expect that the ISE slution will backup the authz if the ACS gone bad.

Greetings!

Francesco Molino · ‎10-26-2017

Ok. If you need any further help, let me know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question