Cisco TACACS Base Config

R1, R4 and CORE-SWITCH

aaa new-model

username lab privilege 15 password 0 Cisco123
enable password Cisco123

tacacs server AAA_TACACS_ISE
 address ipv4 10.0.0.37
 key Cisco123
 timeout 5

aaa group server tacacs+ AAA_TACACS_ISE_SRVGRP
 server name AAA_TACACS_ISE


aaa authentication login TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local
aaa authentication login AAA_TACACS_HTTP group AAA_TACACS_ISE_SRVGRP local
aaa authentication enable default group AAA_TACACS_ISE_SRVGRP enable line


aaa authorization exec TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated 
aaa authorization commands 0 TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated 
aaa authorization commands 1 TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated 
aaa authorization commands 15 TACACS_AAA_LIST group AAA_TACACS_ISE_SRVGRP local if-authenticated 

aaa accounting exec TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 0 TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 1 TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting commands 15 TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP
aaa accounting network TACACS_AAA_LIST start-stop group AAA_TACACS_ISE_SRVGRP

aaa session-id common

ip http authentication aaa login-authentication AAA_TACACS_HTTP
ip http authentication aaa exec-authorization TACACS_AAA_LIST
ip http authentication aaa command-authorization 0 TACACS_AAA_LIST
ip http authentication aaa command-authorization 1 TACACS_AAA_LIST
ip http authentication aaa command-authorization 15 TACACS_AAA_LIST
ip tacacs source-interface Loopback0

line vty 0 4
 password Cisco123
 authorization commands 0 TACACS_AAA_LIST
 authorization commands 1 TACACS_AAA_LIST
 authorization commands 15 TACACS_AAA_LIST
 authorization exec TACACS_AAA_LIST
 accounting commands 0 TACACS_AAA_LIST
 accounting commands 1 TACACS_AAA_LIST
 accounting commands 15 TACACS_AAA_LIST
 login authentication TACACS_AAA_LIST
 
 

ISE Config

  1. Enable TACACS+ on the ISE node

System > Deployment > Edit the ISE node


2. Add the network devices


3. Create a TACACS command set

  • Senior Engineers
  • Junior Engineers

4. Create the TACACS Profile

  • Priv 15 – Sr engineers

5. Create the device admin policy sets

6. Test configuration

  • Jr engineer
  • Sr engineer
  • ISE verification

7. HTTP authentication

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.