cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2572
Views
10
Helpful
6
Replies

ISE Tacacs settings for AD users

extremal.v
Level 1
Level 1

Good day! My question is how to use AD users to access network devices using ISE TACACS settings. I have configuration with internal users and it works just fine. On ISE deployment I've created an internal user, included the user in to the user group for network admins. Created the Tacacs command sets - IOS_Full_Commands, Tacacs Profiles - Network_Admins. My Device Admin Policy set looks like: TACACS User IN Network Access UserName, allowed protocol is Default Device Admin. My Authentication Policy rule looks like: Default  Internal Users. My Authorization Policy rule looks like: InternalUser IdentityGroup EQUALS User Identity Groups:Network_Admins, command set IOS_Full_Commands, shell profile Network_Admins. Also I've added into the Network Devices my c2960, enabled the TACACS and entered the shared secret for TACACS. What should I change to make it work with AD users? Thanks in advance!

1 Accepted Solution
6 Replies 6

First thing, if you didnĀ“t yet, is join the ISE to AD.


Administration > Identity Management > External Identity Sources > Active Directory.

 

 

Thank you for an advice.

I joined AD.

Do I have to create Identity Users? 

If I create a user with exact name from an AD group and select "Password" for this user from AD then it works and server checks the user password in AD. But I think I miss something. 

Is there another way to point out users from AD group for TACACS in ISE?

Did you retrieved the groups from AD?

Which ISE version are you?

 

This guide might help for 2.0 version.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc13 

Yes, I did retrieved the groups from AD. We have ISE 3.0.

Thank you! It did worked for me!

Review Cisco Networking for a $25 gift card