Cisco ISE Device Administration using TACACS+

-

In this article, I will cover network device administration using TACACS+ on Cisco’s Identity Services Engine. Accompanied with a video demonstration, I will also list the TACACS+ configuration required for Cisco’s ASAv.


Configure the Network Device/s

In the video demonstration, I have used the ASAv as the network device I would like ISE to administer. Follow the steps below to configure the ASAv.
aaa-server TACACS+ protocol tacacs+ (configures TACACS+ to be used with aaa)
aaa-server TACACS+ (DMZ) host 10.1.1.10 (tells the ASAv which interface ISE can be reached)
key Cisco123 (enter your TACACS+ key)
aaa authentication enable console TACACS+ LOCAL (authenticates enable prompt via TACACS+ with LOCAL authentication as fallback)
aaa authentication ssh console TACACS+ LOCAL (authenticates ssh via TACACS+ with LOCAL authentication as a fallback)
aaa authentication telnet console TACACS+ LOCAL (authenticates telnet via TACACS+ with LOCAL authentication as a fallback)
aaa authentication serial console TACACS+ LOCAL (authenticates serial via TACACS+ with LOCAL authentication as a fallback)
ciscoasa(config)# show run | include aaa (verify configuration)

Configure Cisco ISE

Navigate to: Administration >>> System >>> Deployment
Edit your node and check the box ‘Enable Device Admin Service’.
NOTE: As mentioned in the video demonstration, this is a licensed feature.

Navigate to: Administration >>> Network Resources >>> Network Devices
Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS profiles 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS Command Sets 

Navigate to: Work Centers >>> Device Administration >>> Device Admin Policy Sets

Verify Functionality

Navigate to: Operations >>> TACACS >>> Live Logs
Additionally, if you would like to enable command authorization, you can use the following configuration below.

Note: If command authorization is implemented wrong, you could end up locking yourself out of your devices.

Enabling Authorization


aaa authorization command TACACS+ LOCAL (allows command authorization to be configured for all administrators on all consoles)


aaa authorization exec authentication-server (uses the authenticating servers)
 

 

Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x ...
Read more

Remote Access VPN Authentication with Cisco ISE

-
Image
In this article I will walk through the steps that are required to configure the ASA for external authentication using Cisco ISE for remote access VPN users. This demonstration will use the following devices: Cisco ISE 2.4 Cisco ASA 9.8 Cisco AnyConnect 4.6 Test Laptop Server 2012 R2 Overview Cisco ISE can be used to authenticate remote access users terminating on a Cisco ASA. Before users gain access to the network, they are required to authenticate using a set of credentials, often certificate-based or by using a username and password. Based on the user authentication, Cisco ISE can be used to determine which tunnel-group the user should be placed within. Change of Authorization (CoA) is supported from ASA version 9.2.1, this allows for ISE to perform things such as posturing. Although not the main focus of this article, Cisco ISE can also be used to apply things such as Dynamic Access Control Lists (dACL’s) based on matched authorization policies. Demonstration Topology In this demo...
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you w...
Read more

Installing Cisco Context Directory Agent

-
Image
In this article we will take a look at how to install the Cisco Context Directory Agent (CDA) for use with Identity Based Firewalls. In this demonstration, we will be installing CDA using VMware ESXI. A few important things to note: VMXNET 2 & 3 Interfaces are not supported and E1000 types must be used Resource requirements will depend on the intended use of CDA. In this demonstration we are using the minimum recommended requirements which will be covered below. CDA must be able to communicate with Active Directory domain controllers, devices that are going to interact with CDA and any Syslog servers that will be used. CDA communicates with domain controllers on RPC 135 initially before domain controllers establish connectivity on higher ports dynamically. Resource specification used as per recommended minimum hardware requirements for VMware: 2 Virtual Processors 2GB RAM (We are using 4GB RAM for this demonstration) 120GB HD Space E1000 NIC Linux 64-Bit Other OS Once powered on se...
Read more

Installing Cisco Configuration Professional Express

-
Image
In this article we are going to take a look at how to install Cisco Configuration Professional Express. Prerequisites Ensure that you have compatible Cisco devices that support CCP Step 1. Download CCP from the  Cisco website  and unzip the folder (CCP Express is FREE) Step 2. Download a TFTP server of your choice – in my example I selected Solarwinds Step 3. Select the correct directory on the TFTP server and ensure the Cisco files downloaded previously are reachable from that directory Step 4. Configure your end device so that it is reachable from the Cisco device Step 5. Configure the Cisco device – the following configurations are taken from my lab example:   username wizkid privilege 15 secret algorytm-type scrypt  PASSWORD interface GigabitEthernet1 ip address 192.168.50.254 255.255.255.0 ip domain name cisco.com hostname R1 ip http server ip http authentication local ip http secure-server   You don’t have to generate RSA keys but if you choose to, the ...
Read more