Wednesday, February 10, 2021

Cisco ise 2.7 Cisco switch Tacacs configuration

 Cisco switches Tacacs configuration



tacacs-server host ip.addr timeout 4 key 0 cisco123 single-connection

tacacs-server host ip.addr timeout 4 key 0 cisco123 single-connection

tacacs-server retransmit tries

!

aaa new-model

aaa authentication login default group (name) tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

ip tacacs source-interface vrf management0

at No comments:
Labels: , , ,

Saturday, February 6, 2021

ISE 2.7 TACACS CONFIGURATION

  ISE TACACS Configuration Template:


Layer-3 and Layer-2 switches: -

Define TACACS SERVER: -

aaa group server tacacs+ ISE-GROUP(NAME)

 

 server-private <primary ISE server  NODE IP > key <plain key>

 server-private <secondary ISE Server NODE IP > key <plain key>

 

 

AAA Login Commands: -

aaa new-model

aaa authentication login ISEauth group ISE-GROUP(NAME) local

 

aaa authorization exec ISEauth group ISE-GROUP local if-authenticated

 

line vty 0 15

 login authentication ISEauth

 authorization exec ISEauth

 

 

AAA Command Authorization Config: -

you can monitor and restrict the commands that have been issued in the Switch.

aaa authorization commands 1 default group ISE-GROUP local if-authenticated

aaa authorization commands 15 default group ISE-GROUP local if-authenticated

aaa authorization config-commands

Login Accounting Logs sent to ISE server: -

"Exec accounting” will capture details about user accessing the shell prompt where you run all the commands & “command accounting” keep track of what commands users execute on a Cisco device.

aaa accounting exec default start-stop group ISE-GROUP(NAME)

aaa accounting commands 1 default start-stop group ISE-GROUP

aaa accounting commands 15 default start-stop group ISE-GROUP



 

 

 

 

ASA Firewall Configuration: -

Define TACACS SERVER: -

·        max-failed-attempts: -  The default value is three.

·        reactivation-mode: -There are two different AAA server reactivation modes in ASA:

timed mode and depletion mode. 

                                                           

aaa-server TACACS protocol tacacs+

 aaa-server TACACS+ max-failed-attempts 3

 reactivation-mode timed

aaa-server TACACS (inside) host <primary ISE server NODE IP>

 timeout 5

 key *****

aaa-server TACACS (inside) host <secondary ISE server NODE IP>

 timeout 5

 key *****

AAA Login Commands: -

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication serial console TACACS LOCAL

aaa authorization exec authentication-server

 

 

 

 

AAA Command Authorization Config: -

 you can monitor and restrict the commands that have been issued in the ASA.

aaa authorization command TACACS LOCAL

Login Accounting Logs sent to ISE server: -

aaa accounting telnet console TACACS

aaa accounting ssh console TACACS

aaa accounting command privilege 15 TACACS

 




at No comments:
Labels: , , , , ,

CISCO ISE 2.7 CHEAT SHEET

 

Cisco ISE 2.7  HANDY COMMANDS


ISE COMMANDS

sh app stat ise    >> ISE services STATUS

 

ISE PROCESS NAME                       STATE            PROCESS ID 

--------------------------------------------------------------------

Database Listener                      running          3424       

Database Server                        running          77 PROCESSES

Application Server                     running          31299      

Profiler Database                      running          4867       

ISE Indexing Engine                    running          799        

Backup database

 

 

To stop ISE services

application stop ise

application start ise

 

 

admin# application stop ise

 

Stopping ISE Monitoring & Troubleshooting Log Collector...

Stopping ISE Monitoring & Troubleshooting Log Processor...

 

Start ise

admin# application start ise

 

 

 

show run   >>> running config

 

 

Repository

repository name

  url sftp://ip address /home/directory name

 

de1-poda/admin# configure terminal

 

Enter configuration commands, one per line.  End with CNTL/Z.

 

node1-poda/admin(config)# repository name

 

node1-poda/admin(config-Repository)# url ftp://ip.addr/  or sftp

 

node1-poda/admin(config-Repository)# user name password plain password

 

node1-poda/admin(config-Repository)# exit

 

node1-poda/admin(config)# exit

 

 

backup name repository  name  ise-config encryption-key plain Password

 

show repository  name

 

 

Logs

admin# sh logging application appserver/catalina.out tail

admin# sh logging application replication.log tail

 

admin# sh logging

ADEOS Platform log:

-----------------

 

2019-11-19T00:45:01.846708-06:00 dfd-cscise01 logger: List of new hosts: 172.23.

1.30 172.21.1.85 172.22.1.30 172.16.203.30 172.16.50.50

2019-11-19T00:45:01.863927-06:00 dfd-cscise01 logger: host is 172.16.50.50

2019-11-19T00:45:01.866095-06:00 dfd-cscise01 logger: Rule exists for 172.16.50.

50 already

 

 


at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)

Turn off pop notifications in chrome browser from major news outlets

 On Chrome browser, go to settings select privacy and security select site settings select Java Script Select Don't allow sites to use J...