Cisco 9800 Wireless 2024 – Phase 4 – DNS & TACACS+ Device Admin

Add DNS entries for the Cisco 9800 Controllers



Add the Cisco 9800 Controllers to Cisco ISE


Configure the ISE TACACS+ Command Sets

Jr Engineer – Limited Access

Sr Engineers – Full Admin Acccess


Configure the ISE TACACS+ Profiles


Configure the ISE TACACS+ Policy Set


Cisco 9800 TACACS+ Configuration

1. Enable AAA new model

aaa new-model


2. Define the AAA TACACS+ Server

tacacs server AAA_TACACS_ISE
 address ipv4 10.0.0.37
 key Cisco123
 timeout 5
 
3. Define the AAA TACACS+ Server Group

aaa group server tacacs+ AAA_TACACS_ISE_SRVGRP
 server name AAA_TACACS_ISE
 
4. Define the AAA TACACS+ Authentication Login Lists for VTY, HTTP, and Console Access

aaa authentication login TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login TACACS_HTTP_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login NO_CONSOLE_AAA none

5. Define the AAA TACACS+ Authorization Exec & Commands

aaa authorization exec TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 0 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 1 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 15 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated

6. Define the AAA TACACS+ Accounting Exec & Commands

aaa accounting exec TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 0 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 1 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 15 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting network TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP

7. Configure the HTTP Login 

ip http authentication aaa login-authentication TACACS_HTTP_LIST
ip http authentication aaa exec-authorization TACACS_VTY_LIST
ip http authentication aaa command-authorization 0 TACACS_VTY_LIST
ip http authentication aaa command-authorization 1 TACACS_VTY_LIST
ip http authentication aaa command-authorization 15 TACACS_VTY_LIST

8. Configure the source TACACS+ Interface

ip tacacs source-interface Vlan7

9. Configure the VTY & Console Lines Login

line vty 0 4
 password Cisco123
 authorization commands 0 TACACS_VTY_LIST
 authorization commands 1 TACACS_VTY_LIST
 authorization commands 15 TACACS_VTY_LIST
 authorization exec TACACS_VTY_LIST
 accounting commands 0 TACACS_VTY_LIST
 accounting commands 1 TACACS_VTY_LIST
 accounting commands 15 TACACS_VTY_LIST
 login authentication TACACS_VTY_LIST
 transport input ssh


line vty 5 20
 password Cisco123
 authorization commands 0 TACACS_VTY_LIST
 authorization commands 1 TACACS_VTY_LIST
 authorization commands 15 TACACS_VTY_LIST
 authorization exec TACACS_VTY_LIST
 accounting commands 0 TACACS_VTY_LIST
 accounting commands 1 TACACS_VTY_LIST
 accounting commands 15 TACACS_VTY_LIST
 login authentication TACACS_VTY_LIST
 transport input ssh

line con 0
 logging synchronous
 login authentication NO_CONSOLE_AAA


westdc9800-1#

Test the TACACS+ Configuration

Jr Engineer Login


Sr Enineer Login


Verify that TACACS+ does NOT affect the console port


The TACACS+ configuration is good and it will be applied to all Cisco 9800 WLCs.

1. Enable AAA new model

aaa new-model


2. Define the AAA TACACS+ Server

tacacs server AAA_TACACS_ISE
 address ipv4 10.0.0.37
 key Cisco123
 timeout 5
 
3. Define the AAA TACACS+ Server Group

aaa group server tacacs+ AAA_TACACS_ISE_SRVGRP
 server name AAA_TACACS_ISE
 
4. Define the AAA TACACS+ Authentication Login Lists for VTY, HTTP, and Console Access

aaa authentication login TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login TACACS_HTTP_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login NO_CONSOLE_AAA none

5. Define the AAA TACACS+ Authorization Exec & Commands

aaa authorization exec TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 0 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 1 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 15 TACACS_VTY_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated

6. Define the AAA TACACS+ Accounting Exec & Commands

aaa accounting exec TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 0 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 1 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 15 TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting network TACACS_VTY_LIST start-stop group AAA_TACACS_ISE_SRVGRP

7. Configure the HTTP Login 

ip http authentication aaa login-authentication TACACS_HTTP_LIST
ip http authentication aaa exec-authorization TACACS_VTY_LIST
ip http authentication aaa command-authorization 0 TACACS_VTY_LIST
ip http authentication aaa command-authorization 1 TACACS_VTY_LIST
ip http authentication aaa command-authorization 15 TACACS_VTY_LIST

8. Configure the source TACACS+ Interface

ip tacacs source-interface Vlan7

9. Configure the VTY & Console Lines Login

line vty 0 4
 password Cisco123
 authorization commands 0 TACACS_VTY_LIST
 authorization commands 1 TACACS_VTY_LIST
 authorization commands 15 TACACS_VTY_LIST
 authorization exec TACACS_VTY_LIST
 accounting commands 0 TACACS_VTY_LIST
 accounting commands 1 TACACS_VTY_LIST
 accounting commands 15 TACACS_VTY_LIST
 login authentication TACACS_VTY_LIST
 transport input ssh


line vty 5 20
 password Cisco123
 authorization commands 0 TACACS_VTY_LIST
 authorization commands 1 TACACS_VTY_LIST
 authorization commands 15 TACACS_VTY_LIST
 authorization exec TACACS_VTY_LIST
 accounting commands 0 TACACS_VTY_LIST
 accounting commands 1 TACACS_VTY_LIST
 accounting commands 15 TACACS_VTY_LIST
 login authentication TACACS_VTY_LIST
 transport input ssh

line con 0
 logging synchronous
 login authentication NO_CONSOLE_AAA


westdc9800-1#

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.