TACACS for Cisco IOS/ Cisco 9800 Wireless Controller

By 80211 80211Cisco 9800 Wireless, TACACS for Cisco IOS/ Cisco 9800 Wireless Controller

Add device to ISE

R3, R10 and R11 users must be authenticated via TACACS

Add devices to Cisco ISE

Define ISE command set.

  1. Allow all commands – for senior engineers
  2. Allow a limited subset of commands – for junior engineers

Define TACACS shell profile

Define ISE tacacs policy set – associate command sets and shell profiles to the respective rule

Verify users in Active Directory

Add TACACS server group and create the respective aaa auth list

R10-EDGE-ROUTER#show run | s aaa
enable aaa

aaa new-model

define tacacs server

tacacs server TACACS_SERVER_ISE
address ipv4 10.0.0.35
key 11216demo
timeout 5

define server group and tie it to the tacacs server
aaa group server tacacs+ NPLLC_TACACS_SG
server name TACACS_SERVER_ISE

create service list – example is login list


aaa authentication login NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local

aaa authentication enable default group NPLLC_TACACS_SG enable

aaa authorization config-commands

aaa authorization exec NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local

aaa authorization commands 0 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local

aaa authorization commands 1 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local

aaa authorization commands 15 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa session-id common
R10-EDGE-ROUTER#

Assign the list to line vty 0 – 4

R10-EDGE-ROUTER#show run | s line vty 0 4
line vty 0 4
password cisco
authorization commands 0 NPLLC_AAA_LOGIN_LIST
authorization commands 1 NPLLC_AAA_LOGIN_LIST
authorization commands 15 NPLLC_AAA_LOGIN_LIST
authorization exec NPLLC_AAA_LOGIN_LIST
login authentication NPLLC_AAA_LOGIN_LIST
transport input telnet ssh

Test aaa user login from cli of device

Test senior and jr engineer login:

Senior engineers should have full access to the devices – 0 restrictions. Verify user login – show users

Output below verifies that fclarke has full access to the IOS

Check Cisco ISE log to verify the session authentication/authorization

Verify jr admin session – limited access to the device

Verify AAA debug

reference doc(s) used in lab – Cisco AAA Identity Management Security – http://www.ciscopress.com/store/aaa-identity-management-security-9781587141447

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.