Solved: Re: ISE Tacacs settings for AD users

extremal.v · ‎04-22-2022

Good day! My question is how to use AD users to access network devices using ISE TACACS settings. I have configuration with internal users and it works just fine. On ISE deployment I've created an internal user, included the user in to the user group for network admins. Created the Tacacs command sets - IOS_Full_Commands, Tacacs Profiles - Network_Admins. My Device Admin Policy set looks like: TACACS User IN Network Access UserName, allowed protocol is Default Device Admin. My Authentication Policy rule looks like: Default Internal Users. My Authorization Policy rule looks like: InternalUser IdentityGroup EQUALS User Identity Groups:Network_Admins, command set IOS_Full_Commands, shell profile Network_Admins. Also I've added into the Network Devices my c2960, enabled the TACACS and entered the shared secret for TACACS. What should I change to make it work with AD users? Thanks in advance!

Flavio Miranda · ‎04-24-2022

https://www.lookingpoint.com/blog/cisco-ise-3.0-tacacs-configuration

View solution in original post

Flavio Miranda · ‎04-22-2022

First thing, if you didn´t yet, is join the ISE to AD.

Administration > Identity Management > External Identity Sources > Active Directory.

extremal.v · ‎04-23-2022

Thank you for an advice.

I joined AD.

Do I have to create Identity Users?

If I create a user with exact name from an AD group and select "Password" for this user from AD then it works and server checks the user password in AD. But I think I miss something.

Is there another way to point out users from AD group for TACACS in ISE?