Overview
Hello everyone this is my first topic for cisco ISE, i want to show you how to configure Cisco ISE as TACACS server and cisco IOS router as a tacacs Clients.
Topology
Testing Scenario
- Configure TACACS client on Router 1
- Authorize connections to VTY lines.
- Use ISE1 as a TACACS+ server
- Make sure console connections remain unaffected
- Enable command authorization on Privilege Levels 0, 1, 7
- The privilege level 7 command only “show running-config”
- Create 2 Users for this case
- dadmin authorize to all command
- dpkl authorize to privilege level 7
Configuration
R1
# enable aaa
aaa new-model
# configure tacacs server
tacacs server ise
address ipv4 167.205.196.79
key Cisco123
# define privilege level command 7 command
privilege exec level 7 show running-config
# define authorize command
aaa authentication login AUTHC group tacacs+
aaa authorization config-commands
aaa authorization exec AUTHZ group tacacs+
aaa authorization commands 7 CMD7 group tacacs+
aaa authorization configuration config7 group tacacs+
aaa session-id common
line con 0
logging synchronous
login authentication NO
line vty 0 4
authorization commands 7 config7
authorization exec config7
login authentication AUTHC
transport input allCisco ISE
- Enable TACACS service
- Administration -> System -> enable device admin service
2. Define Device to allow for TACACS
- Devices administration -> Network resources -> add
3. Define policy elements
- Device administrator -> Results -> Tacacs Profile
Level 15
Level 7
4. Define TACACS command set
Level 7
Level 15
5. Define Policy set to authorize both of commands
5. Dont forget to create user local
Device Administration -> Identities
Verification
Dadmin User
- Try to login with user dadmin, this user should get access to all commands
Dpkl user
- try to login with user dpkl this user and get access to show running command
Conclusions
- With tacacs we can centralized user for AAA purposes
- TACACS in ISE also can limit certain command for specific users.