CISCO ISE: TACACS+ Configuration

Beyond the well known RADIUS service, Cisco ISE includes a module for performing TACACS+ authentication, authorization and accounting. Take into account that TACACS+ operation consumes appliance resources that might be necessary for RADIUS purposes so, depending on the size of your network infrastructure, it could be advisable to deploy a dedicated appliance for this role and avoid interferences between critical services.

Deployment considerations a part, let’s start with the configuration part:

• Start enabling the service on both PSN:

• Configure the TACACS+ portion of each network device in the same way you did for RADIUS. Note that we enabled the “Single Connection Mode” for optimizing the number of TCP connections the protocol uses and keep only one instead of opening one connection per authorization request.

• Create the TACACS+ authorization result for the different groups you have in the organization. For the documentation purposes we will create a profile called “IT Users”. Since the profile will apply to IOS, select “Shell” as the common task type. If it was aimed for a different device like NXOS, the choose Nexus.

  Set the privilege level the user will be granted when authenticated and the maximum privilege he/she could get during the session, starting for example an exec session. Finally set the Idle Time for locking the user session.

• Create the TACACS+ commands set for specifying which commands each group will be able to run. In this example a profile called “IT Users” profile is created and only “show” commands are allowed.

• Now, create an additional network device group called “OS” and classify each device per its OS type. As every OS has different command authorization rules, grouping by OS will help.

• Create a policy-set for each different operative system.

• Configure each policy set to authenticate using the corresponding AD group and assign the “IT Users” authorization profile.

• Configure the network device:

aaa new-model

tacacs server ise1
address ipv4 10.254.2.53
key xxxxxx

tacacs server ise2
address ipv4 10.254.2.54
key xxxxxx

aaa group server tacacs+ ISE-TACACS-GROUP
server name ise1
server name ise2

ip tacacs source-interface vlan 2

aaa authentication login failsafe none

line vty 0 15
login authentication failsafe

aaa authentication login TACACS-ISE group ISE-TACACS-GROUP local

aaa authorization exec TACACS-ISE group ISE-TACACS-GROUP local
aaa authorization config-commands
aaa authorization commands 0 TACACS-ISE group ISE-TACACS-GROUP local
aaa authorization commands 1 TACACS-ISE group ISE-TACACS-GROUP local
aaa authorization commands 7 TACACS-ISE group ISE-TACACS-GROUP local
aaa authorization commands 15 TACACS-ISE group ISE-TACACS-GROUP local

aaa accounting exec default start-stop group TACACS-ISE
aaa accounting commands 0 default start-stop group TACACS-ISE
aaa accounting commands 1 default start-stop group TACACS-ISE
aaa accounting commands 7 default start-stop group TACACS-ISE
aaa accounting commands 15 default start-stop group TACACS-ISE

line vty 0 15
login authentication TACACS-ISE
authorization exec TACACS-ISE
authorization commands 0 TACACS-ISE
authorization commands 1 TACACS-ISE
authorization commands 7 TACACS-ISE
authorization commands 15 TACACS-ISE

end

• Verification:

Test invalid user authentication to make sure logging is not successful when the user does not exist or does not belong to the AD group.

Test valid user authentication:

Test authorization results running both, authorized and un-authorized commands:

Since the users is not authorized to run any other command than “show” or “enable”, running the “configure terminal” will not succed: