05-26-2022 05:21 AM
So on the ISE CLI I found the option to enable TACACS+:
ise/admin(config)# aaa authentication tacacs+ server ?
<WORD> Server ip or hostname (Max Size - 31)
ise/admin(config)# aaa authentication tacacs+ server
Can I use TACACS+ for CLI login? I didn't find a useful document for this commnad, also can I use RADIUS instead? if not I would like to know if there are plans to enable it in the future,
Solved! Go to Solution.
05-26-2022 09:21 AM
@SMD28316 since ISE 2.6 version, the CLI Access to ISE by External Identity Store is added.
ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#id_97053
It is better to use TACACS to control CLI access rather than RADIUS. This is because simply RADIUS does not separate authentication and authorization while TACACS does, in other words RADIUS cannot manage per command CLI authorization.
05-26-2022 09:21 AM
@SMD28316 since ISE 2.6 version, the CLI Access to ISE by External Identity Store is added.
ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#id_97053
It is better to use TACACS to control CLI access rather than RADIUS. This is because simply RADIUS does not separate authentication and authorization while TACACS does, in other words RADIUS cannot manage per command CLI authorization.
05-26-2022 10:41 PM
@SMD28316 - RADIUS is a valid option for Device Admin in my opinion, if you don't need all that fancy command auth and command accounting that TACACS+ offers. It works great.
Use the following RADIUS Authentication logic (notice the RADIUS Attributes used in each case)
As for the results, you return the usual priv level 15 (or whatever you need) in the Cisco AV Pair - might have to google that - I don't have a copy of what I used back in the day
05-27-2022 12:23 AM
Thank you,
yes I understand this, but can I use RADIUS for ISE CLI authentication? it doesn't seem available for now.
05-27-2022 05:25 AM
That is correct. Local CLI admin user or Active Directory only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide