R1, R4 and CORE-SWITCH
aaa new-model
username lab privilege 15 password 0 Cisco123
enable password Cisco123
tacacs server AAA_TACACS_ISE
address ipv4 10.0.0.37
key Cisco123
timeout 5
aaa group server tacacs+ AAA_TACACS_ISE_SRVGRP
server name AAA_TACACS_ISE
aaa authentication login TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login AAA_TACACS_HTTP group AAA_TACACS_ISE_SRVGRP local
aaa authentication enable default group AAA_TACACS_ISE_SRVGRP enable line
aaa authorization exec TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 0 TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 1 TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa authorization commands 15 TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated
aaa accounting exec TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 0 TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 1 TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 15 TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting network TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa session-id common
ip http authentication aaa login-authentication AAA_TACACS_HTTP
ip http authentication aaa exec-authorization TACACS_AAA_LIST
ip http authentication aaa command-authorization 0 TACACS_AAA_LIST
ip http authentication aaa command-authorization 1 TACACS_AAA_LIST
ip http authentication aaa command-authorization 15 TACACS_AAA_LIST
ip tacacs source-interface Loopback0
line vty 0 4
password Cisco123
authorization commands 0 TACACS_AAA_LIST
authorization commands 1 TACACS_AAA_LIST
authorization commands 15 TACACS_AAA_LIST
authorization exec TACACS_AAA_LIST
accounting commands 0 TACACS_AAA_LIST
accounting commands 1 TACACS_AAA_LIST
accounting commands 15 TACACS_AAA_LIST
login authentication TACACS_AAA_LIST
ISE Config
- Enable TACACS+ on the ISE node
System > Deployment > Edit the ISE node
2. Add the network devices
3. Create a TACACS command set
- Senior Engineers
- Junior Engineers
4. Create the TACACS Profile
- Priv 15 – Sr engineers
5. Create the device admin policy sets
6. Test configuration
- Jr engineer
- Sr engineer
- ISE verification
7. HTTP authentication