ISE TACACS Configuration Template:
Layer-3 and Layer-2 switches: -
Define TACACS SERVER: -
aaa group server tacacs+ ISE-GROUP(NAME)
server-private <primary ISE server NODE IP > key <plain
key>
server-private <secondary ISE Server NODE IP > key <plain
key>
AAA Login Commands: -
aaa new-model
aaa authentication login ISEauth group ISE-GROUP(NAME) local
aaa authorization exec ISEauth group ISE-GROUP local
if-authenticated
line vty 0 15
login authentication ISEauth
authorization exec ISEauth
AAA Command Authorization Config: -
you can monitor and restrict the commands that
have been issued in the Switch.
aaa authorization commands 1 default group ISE-GROUP local if-authenticated
aaa authorization commands 15 default group ISE-GROUP local if-authenticated
aaa authorization config-commands
Login Accounting Logs sent to ISE server: -
"Exec accounting” will capture details
about user accessing the shell prompt where you run all the commands &
“command accounting” keep track of what commands users execute on a Cisco
device.
aaa accounting exec default start-stop group ISE-GROUP(NAME)
aaa accounting commands 1 default start-stop group ISE-GROUP
aaa accounting commands 15 default start-stop group ISE-GROUP
ASA Firewall Configuration: -
Define TACACS SERVER: -
· max-failed-attempts: - The
default value is three.
· reactivation-mode: -There are two different AAA server reactivation modes in ASA:
timed mode and depletion mode.
aaa-server TACACS protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
reactivation-mode timed
aaa-server TACACS (inside) host <primary ISE server NODE IP>
timeout 5
key *****
aaa-server TACACS (inside) host <secondary ISE server NODE IP>
timeout 5
key *****
AAA Login Commands: -
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authorization exec authentication-server
AAA Command Authorization Config: -
you can monitor and restrict the commands that
have been issued in the ASA.
aaa authorization command TACACS LOCAL
Login Accounting Logs sent to ISE server: -
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa accounting command privilege 15 TACACS