Add DNS entries for the Cisco 9800 Controllers
Add the Cisco 9800 Controllers to Cisco ISE
Configure the ISE TACACS+ Command Sets
Jr Engineer – Limited Access
Sr Engineers – Full Admin Acccess
Configure the ISE TACACS+ Profiles
Configure the ISE TACACS+ Policy Set
Cisco 9800 TACACS+ Configuration
1. Enable AAA new model
aaa new-model
2. Define the AAA TACACS+ Server
tacacs server AAA_TACACS_ISE
address ipv4 10.0.0.37
key Cisco123
timeout 5
3. Define the AAA TACACS+ Server Group
aaa group server tacacs+ AAA_TACACS_ISE_SRVGRP
server name AAA_TACACS_ISE
4. Define the AAA TACACS+ Authentication Login Lists for VTY, HTTP, and Console Access
aaa authentication login TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login TACACS_HTTP_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login NO_CONSOLE_AAA none
5. Define the AAA TACACS+ Authorization Exec & Commands
aaa authorization exec TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 0 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 1 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 15 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
6. Define the AAA TACACS+ Accounting Exec & Commands
aaa accounting exec TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 0 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 1 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 15 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting network TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
7. Configure the HTTP Login
ip http authentication aaa login-authentication TACACS_HTTP_LIST
ip http authentication aaa exec-authorization TACACS_VTY_LIST
ip http authentication aaa command-authorization 0 TACACS_VTY_LIST
ip http authentication aaa command-authorization 1 TACACS_VTY_LIST
ip http authentication aaa command-authorization 15 TACACS_VTY_LIST
8. Configure the source TACACS+ Interface
ip tacacs source-interface Vlan7
9. Configure the VTY & Console Lines Login
line vty 0 4
password Cisco123
authorization commands 0 TACACS_VTY_LIST
authorization commands 1 TACACS_VTY_LIST
authorization commands 15 TACACS_VTY_LIST
authorization exec TACACS_VTY_LIST
accounting commands 0 TACACS_VTY_LIST
accounting commands 1 TACACS_VTY_LIST
accounting commands 15 TACACS_VTY_LIST
login authentication TACACS_VTY_LIST
transport input ssh
line vty 5 20
password Cisco123
authorization commands 0 TACACS_VTY_LIST
authorization commands 1 TACACS_VTY_LIST
authorization commands 15 TACACS_VTY_LIST
authorization exec TACACS_VTY_LIST
accounting commands 0 TACACS_VTY_LIST
accounting commands 1 TACACS_VTY_LIST
accounting commands 15 TACACS_VTY_LIST
login authentication TACACS_VTY_LIST
transport input ssh
line con 0
logging synchronous
login authentication NO_CONSOLE_AAA
westdc9800-1#
Test the TACACS+ Configuration
Jr Engineer Login
Sr Enineer Login
Verify that TACACS+ does NOT affect the console port
The TACACS+ configuration is good and it will be applied to all Cisco 9800 WLCs.
1. Enable AAA new model
aaa new-model
2. Define the AAA TACACS+ Server
tacacs server AAA_TACACS_ISE
address ipv4 10.0.0.37
key Cisco123
timeout 5
3. Define the AAA TACACS+ Server Group
aaa group server tacacs+ AAA_TACACS_ISE_SRVGRP
server name AAA_TACACS_ISE
4. Define the AAA TACACS+ Authentication Login Lists for VTY, HTTP, and Console Access
aaa authentication login TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login TACACS_HTTP_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login NO_CONSOLE_AAA none
5. Define the AAA TACACS+ Authorization Exec & Commands
aaa authorization exec TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 0 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 1 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 15 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
6. Define the AAA TACACS+ Accounting Exec & Commands
aaa accounting exec TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 0 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 1 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 15 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting network TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
7. Configure the HTTP Login
ip http authentication aaa login-authentication TACACS_HTTP_LIST
ip http authentication aaa exec-authorization TACACS_VTY_LIST
ip http authentication aaa command-authorization 0 TACACS_VTY_LIST
ip http authentication aaa command-authorization 1 TACACS_VTY_LIST
ip http authentication aaa command-authorization 15 TACACS_VTY_LIST
8. Configure the source TACACS+ Interface
ip tacacs source-interface Vlan7
9. Configure the VTY & Console Lines Login
line vty 0 4
password Cisco123
authorization commands 0 TACACS_VTY_LIST
authorization commands 1 TACACS_VTY_LIST
authorization commands 15 TACACS_VTY_LIST
authorization exec TACACS_VTY_LIST
accounting commands 0 TACACS_VTY_LIST
accounting commands 1 TACACS_VTY_LIST
accounting commands 15 TACACS_VTY_LIST
login authentication TACACS_VTY_LIST
transport input ssh
line vty 5 20
password Cisco123
authorization commands 0 TACACS_VTY_LIST
authorization commands 1 TACACS_VTY_LIST
authorization commands 15 TACACS_VTY_LIST
authorization exec TACACS_VTY_LIST
accounting commands 0 TACACS_VTY_LIST
accounting commands 1 TACACS_VTY_LIST
accounting commands 15 TACACS_VTY_LIST
login authentication TACACS_VTY_LIST
transport input ssh
line con 0
logging synchronous
login authentication NO_CONSOLE_AAA
westdc9800-1#