Beyond the well known RADIUS service, Cisco ISE includes a module for performing TACACS+ authentication, authorization and accounting. Take into account that TACACS+ operation consumes appliance resources that might be necessary for RADIUS purposes so, depending on the size of your network infrastructure, it could be advisable to deploy a dedicated appliance for this role and avoid interferences between critical services.
Deployment considerations a part, let’s start with the configuration part:
- Start enabling the service on both PSN:
Configure the TACACS+ portion of each network device in the same way you did for RADIUS. Note that we enabled the “Single Connection Mode” for optimizing the number of TCP connections the protocol uses and keep only one instead of opening one connection per authorization request.
Create the TACACS+ authorization result for the different groups you have in the organization. For the documentation purposes we will create a profile called “IT Users”. Since the profile will apply to IOS, select “Shell” as the common task type. If it was aimed for a different device like NXOS, the choose Nexus.
Set the privilege level the user will be granted when authenticated and the maximum privilege he/she could get during the session, starting for example an exec session. Finally set the Idle Time for locking the user session.
Create the TACACS+ commands set for specifying which commands each group will be able to run. In this example a profile called “IT Users” profile is created and only “show” commands are allowed.
- Now, create an additional network device group called “OS” and classify each device per its OS type. As every OS has different command authorization rules, grouping by OS will help.
- Create a policy-set for each different operative system.
- Configure each policy set to authenticate using the corresponding AD group and assign the “IT Users” authorization profile.
- Configure the network device:
aaa new-model tacacs server ise1 address ipv4 10.254.2.53 key xxxxxx tacacs server ise2 address ipv4 10.254.2.54 key xxxxxx aaa group server tacacs+ ISE-TACACS-GROUP server name ise1 server name ise2 ip tacacs source-interface vlan 2 aaa authentication login failsafe none line vty 0 15 login authentication failsafe aaa authentication login TACACS-ISE group ISE-TACACS-GROUP local aaa authorization exec TACACS-ISE group ISE-TACACS-GROUP local aaa authorization config-commands aaa authorization commands 0 TACACS-ISE group ISE-TACACS-GROUP local aaa authorization commands 1 TACACS-ISE group ISE-TACACS-GROUP local aaa authorization commands 7 TACACS-ISE group ISE-TACACS-GROUP local aaa authorization commands 15 TACACS-ISE group ISE-TACACS-GROUP local aaa accounting exec default start-stop group TACACS-ISE aaa accounting commands 0 default start-stop group TACACS-ISE aaa accounting commands 1 default start-stop group TACACS-ISE aaa accounting commands 7 default start-stop group TACACS-ISE aaa accounting commands 15 default start-stop group TACACS-ISE line vty 0 15 login authentication TACACS-ISE authorization exec TACACS-ISE authorization commands 0 TACACS-ISE authorization commands 1 TACACS-ISE authorization commands 7 TACACS-ISE authorization commands 15 TACACS-ISE end
Test invalid user authentication to make sure logging is not successful when the user does not exist or does not belong to the AD group.
Test valid user authentication:
Test authorization results running both, authorized and un-authorized commands:
Since the users is not authorized to run any other command than “show” or “enable”, running the “configure terminal” will not succed: