Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1864
Views
15
Helpful
4
Replies

Using TACACS+ / RAIDUS for ISE CLI login

Go to solution
SMD28316
Level 1
Level 1

‎05-26-2022 05:21 AM

So on the ISE CLI I found the option to enable TACACS+:

ise/admin(config)# aaa authentication tacacs+ server ?
<WORD> Server ip or hostname (Max Size - 31)

ise/admin(config)# aaa authentication tacacs+ server

 

Can I use TACACS+ for CLI login? I didn't find a useful document for this commnad, also can I use RADIUS instead? if not I would like to know if there are plans to enable it in the future,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Meddane
VIP
VIP

‎05-26-2022 09:21 AM

@SMD28316  since ISE 2.6 version,  the CLI Access to ISE by External Identity Store is added.

ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#id_97053 

 

It is better to use TACACS to control CLI access rather than RADIUS. This is because simply RADIUS does not separate authentication and authorization while TACACS does, in other words RADIUS cannot manage per command CLI authorization.

View solution in original post

4 Replies 4

Go to solution
Meddane
VIP
VIP

‎05-26-2022 09:21 AM

@SMD28316  since ISE 2.6 version,  the CLI Access to ISE by External Identity Store is added.

ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#id_97053 

 

It is better to use TACACS to control CLI access rather than RADIUS. This is because simply RADIUS does not separate authentication and authorization while TACACS does, in other words RADIUS cannot manage per command CLI authorization.

Go to solution
Arne Bier
VIP
VIP

‎05-26-2022 10:41 PM

@SMD28316  - RADIUS is a valid option for Device Admin in my opinion, if you don't need all that fancy command auth and command accounting that TACACS+ offers. It works great.

Use the following RADIUS Authentication logic (notice the RADIUS Attributes used in each case)

 

 

ISE RADIUS DEVICE ADMIN.PNG

 

As for the results, you return the usual priv level 15 (or whatever you need) in the Cisco AV Pair - might have to google that - I don't have a copy of what I used back in the day

 

Go to solution
SMD28316
Level 1
Level 1
In response to Arne Bier

‎05-27-2022 12:23 AM

Thank you,

 

yes I understand this, but can I use RADIUS for ISE CLI authentication? it doesn't seem available for now.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to SMD28316

‎05-27-2022 05:25 AM

That is correct.  Local CLI admin user or Active Directory only.

Customers Also Viewed These Support Documents