- Introduction
- License
- TACACS+
- TACACS+ vs RADIUS
- TACACS+ on Cisco ISE
- Enable TACACS+
- Configure TACACS+
- Overview
- Settings
- Allowed Protocols
- TACACS Commands Sets vs TACACS Profiles
- Troubleshooting
- Bug IDs
- References
The Portuguese version of this Article can be found at: ISE - O que precisamos saber sobre TACACS+ .
 |
For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like. |
Introduction
When there are a limited number of Devices, keeping track of Administrators, Privileges or Configuration Changes can be easy. However, as the Network grows to tens, hundreds or even thousands of Devices, it becomes extremely complex to manage Devices without automation.
ISE provides the ability to automate Device Administration and Monitoring tasks with TACACS+ within a controlled GUI space.
License
The license that enables Device Administration (TACACS+) is the Device Admin License (L-ISE-TACACS-ND=).
|
Up until ISE 2.4, the Device Admin License was a single "Cluster License" that enabled TACACS+ on ALL PSNs, also known as the Classic Device Admin License. In ISE 2.6+, a separate license is required for each PSN on which you want to enable TACACS+, also known as the Node License. Both the Classic Device Admin License and the Node License are Perpetual Licenses. Customers with Classic Device Admin License who upgrade to 2.4+ ae entitled to receive the number of Node Licenses equivalent to the number of PSNs in their ISE Deployment. Device Administration (TACACS+) does not consume Endpoints, has no Network Devices limit, and does not require an Essentials License. |
TACACS+
TACACS (Terminal Access Controller Access Control System) was designed to control access to UNIX terminals.
In the early 1990s, Cisco created TACACS+, an Open Standard protocol designed for Device Administration AAA (Authentication, Authorization e Accounting).
|
TACACS+ is supported by ISE 2.0+. Prior to ISE 2.0, TACACS+ was supported by Cisco Secure ACS (Access Control Server). Cisco Secure ACS has been discontinued and is no longer supported as of August 31, 2022. |
TACACS+ vs RADIUS
| Resource | TACACS+ | RADIUS |
| Protocol & Port(s) |
TCP: 49 |
UDP: 1812 & 1813 UDP: 1645 & 1646 |
| Security | Encrypts the entire Payload | Only hashes the Password field |
| Authentication & Authorization | Separates Authentication & Authorization | Combines Authentication & Authorization |
| Main use | Device Administration | Network Access |
|
The two main AAA protocols are: TACACS+ and RADIUS. In a Large Deployment, it is recommended to maintain separate ISE Deployments for Device Administration (TACACS+) and Network Access (RADIUS). In a Small Deployment or Medium Deployment, the use of SNS 3x15 - 32 GB RAM - Nodes (e.g.: SNS 3615 or SNS 3715) acting as PAN / MnT are recommended only for: RADIUS-only or TACACS+-only. ISE integration with Duo MFA for RADIUS and TACACS+ flows is supported in ISE 3.3 P1+. |
TACACS+ on Cisco ISE
Enable TACACS+
To enable TACACS+ on Cisco ISE, in Administration > System > Deployment > select Policy Service > select Enable Device Admin Service on each PSN in your Deployment.
Configure TACACS+
The Work Centers > Device Administration menu serves as a "starting point" to access all Device Administration (TACACS+) related pages.
| The first Device Admin License enables Work Center > Device Administration. |
Overview
To simplify the task of enabling the Device Administration service individually on each PSN in your Deployment, go to Work Centers > Device Administration > Overview > Deployment:
|
The default TACACS+ Port is 49. In the GUI, it is possible to change the default TACACS+ Port via the TACACS Ports option. TACACS Requests will be received by the ISE on these Ports (maximum 4x entries) In the CLI, it is not possible to change the default TACACS+ Port. |
Settings
To access TACACS+ global settings, in Work Centers > Device Administration > Settings:
|
If Single Connect Support is disabled, Cisco ISE will use a new TCP connection for each TACACS+ Request, be aware of: |
Allowed Protocols
The allowed TACACS+ protocol types are: PAP/ASCII, CHAP and MS-CHAPv1 ... go to Work Centers > Device Administration > Police Elements > Results > Allowed Protocols:
|
PAP/ASCII, CHAP and MS-CHAPv1, which are allowed in TACACS+, are disabled in RADIUS when FIPS Mode is enabled, in Administration > System > Settings > FIPS Mode:
TACACS+ CHAP Outbound Authentication is not supported. |
TACACS Commands Sets vs TACACS Profiles
In Work Centers > Device Administration > Policy Elements > Results:
Command Sets or Command Authorization is a specific list of commands (in Wildcard or Regex format) that can be executed by Device Administrator.
| Command Sets are case insensitive. |
TACACS Profiles control the initial Device Administrator login Session, where a Session refers to each individual Authentication, Authorization or Accounting request.
Troubleshooting
In Work Centers > Device Administration > Overview > TACACS Livelog:
and in Work Centers > Device Administration > Reports:
Bug IDs
Please note the Bug IDs below:
References
Cisco Identity Services Engine Administrator Guide, Release 3.4 - Device Administration
Performance and Scalability Guide for Cisco Identity Services Engine
Rodrigo Diaz Cruz - Configuration and Troubleshoot of TACACS using ISE 3.3 - YouTube
Configure ISE 2.0 TACACS+ Authentication Command Authorization
Configure TACACS+ for Device Administration of Cisco WLC
Configure TACACS+ Authentication on CIMC with ISE Server
Configure Custom TACACS Role for Nexus 9K Using ISE 3.2
Configure APIC for Device Administration with ISE and TACACS+
