Saturday, February 6, 2021

ISE 2.7 TACACS CONFIGURATION

  ISE TACACS Configuration Template:


Layer-3 and Layer-2 switches: -

Define TACACS SERVER: -

aaa group server tacacs+ ISE-GROUP(NAME)

 

 server-private <primary ISE server  NODE IP > key <plain key>

 server-private <secondary ISE Server NODE IP > key <plain key>

 

 

AAA Login Commands: -

aaa new-model

aaa authentication login ISEauth group ISE-GROUP(NAME) local

 

aaa authorization exec ISEauth group ISE-GROUP local if-authenticated

 

line vty 0 15

 login authentication ISEauth

 authorization exec ISEauth

 

 

AAA Command Authorization Config: -

you can monitor and restrict the commands that have been issued in the Switch.

aaa authorization commands 1 default group ISE-GROUP local if-authenticated

aaa authorization commands 15 default group ISE-GROUP local if-authenticated

aaa authorization config-commands

Login Accounting Logs sent to ISE server: -

"Exec accounting” will capture details about user accessing the shell prompt where you run all the commands & “command accounting” keep track of what commands users execute on a Cisco device.

aaa accounting exec default start-stop group ISE-GROUP(NAME)

aaa accounting commands 1 default start-stop group ISE-GROUP

aaa accounting commands 15 default start-stop group ISE-GROUP



 

 

 

 

ASA Firewall Configuration: -

Define TACACS SERVER: -

·        max-failed-attempts: -  The default value is three.

·        reactivation-mode: -There are two different AAA server reactivation modes in ASA:

timed mode and depletion mode. 

                                                           

aaa-server TACACS protocol tacacs+

 aaa-server TACACS+ max-failed-attempts 3

 reactivation-mode timed

aaa-server TACACS (inside) host <primary ISE server NODE IP>

 timeout 5

 key *****

aaa-server TACACS (inside) host <secondary ISE server NODE IP>

 timeout 5

 key *****

AAA Login Commands: -

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication serial console TACACS LOCAL

aaa authorization exec authentication-server

 

 

 

 

AAA Command Authorization Config: -

 you can monitor and restrict the commands that have been issued in the ASA.

aaa authorization command TACACS LOCAL

Login Accounting Logs sent to ISE server: -

aaa accounting telnet console TACACS

aaa accounting ssh console TACACS

aaa accounting command privilege 15 TACACS

 




No comments:

Post a Comment

Turn off pop notifications in chrome browser from major news outlets

 On Chrome browser, go to settings select privacy and security select site settings select Java Script Select Don't allow sites to use J...