Scribd
Upload
359 views

ISE Lab Guide Part 01

The document provides instructions for configuring ISE and a Cisco switch for RADIUS authentication, TrustSec, and other access control methods. Key steps include installing and configuring ISE, configuring the switch for RADIUS and 802.1x authentication using ISE, enabling TrustSec and assigning security group tags, and applying security group ACLs.

Uploaded by

hussamm0177
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
359 views

ISE Lab Guide Part 01

The document provides instructions for configuring ISE and a Cisco switch for RADIUS authentication, TrustSec, and other access control methods. Key steps include installing and configuring ISE, configuring the switch for RADIUS and 802.1x authentication using ISE, enabling TrustSec and assigning security group tags, and applying security group ACLs.

Uploaded by

hussamm0177
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 71

ISE 3.

0 Lab Guide
Part 01
❑ ISE Install
❑ Console into ISE-3.0 and Start Setup
❑ RADIUS – Implementing Secure Wired Differentiated
Access
❑ Configure the Switch for Radius
❑ Configure NAD (Network Access Device) in ISE –
[From the wkst1 device]
❑ Configure AD External Identity Store
❑ Create the ISE policy set
❑ Authorize the Switch for TrustSec Enforcement
❑ Configure New Security Group and Assign IP Security
Group Tag (SGT) Static Mapping
❑ Configure and apply security group ACLs (SGACL)
❑ TACACS+ - Restricting Switch Commands and
Differentiated Access
❑ Create a second TACACS profile for a non-admin
account
❑ Build the TACACS Command Sets for both
Network_Admin and Network-Viewer accounts
❑ Build your TACACS+ policy set
ISE Install
Console into ISE-3.0 and Start Setup
Let this run as you move on to the next scenario. The initial set up process and database build takes about
20-40 minutes.

RADIUS–ImplementingSecure Wired DifferentiatedAccess


Remember the fundamentals, 802.1x is a standard for authentication, and it uses RADIUS as a method for
authentication.
RADIUS – Implementing Secure Wired
Differentiated Access

Remember the fundamentals, 802.1x is a standard for authentication, and it


uses RADIUS as a method for authentication.
This scenario covers all the ways for providing differentiated access. The
focus will be on wired; however, the same principles apply to wireless as
well. Recall you have the following access control and restriction methods
available to you within ISE (VLAN, Downloadable Access Control List
(dACL), Security Group Tags (SGT), and Security Group ACLs (SGACLs).
You will become familiar with each method and the
combinations thereof.

Configure the Switch for Radius


Step 1 RDP to the Jump Host (wkst1) if not already in there. Then select mRemoteNG on the taskbar
Example:

Step 2 Select the 9300-1 Switch, log in with C1sco12345, and begin configuring the switch with the following
commands.
Note A base configuration is applied to the switch to ensure connectivity for the ISE install in Lab 1.
• Initial config already applied:
• hostname c9300-1
• ip routing
• interface GigabitEthernet1/0/48
• description Connection 4331 – Gi0/0/1
• no switchport
• ip address 198.19.1.2 255.255.255.252

• ip ospf 1 area 0

Initial Configuration and SSH


c9300-1(config)# enable password C1sco12345 Sets the enable password
c9300-1 (config)# ip domain-name dcloud.cisco.com Specifies dcloud.cisco.com as the domain name
c9300-1 (config)# ip name server 198.18.133.1 Configures the DNS Server
c9300-1 (config)# interface vlan 10 Configure VLAN 10 SVI
c9300-1 (config)# ip address 198.18.10.1 Configure VLAN 10 IP address
255.255.255.0
c9300-1 (config)# ip ospf 1 area 0 Advertise VLAN 10 subnet in OSPF
c9300-1 (config)# no shut Enable VLAN 10 SVI
c9300-1 (config)# ip dhcp snooping Enables dhcp snooping globally
c9300-1 (config)# ip dhcp snooping vlan 10 Enables dhcp snooping on your Vlan10
Initial Configuration and SSH
c9300-1 (config)# no ip dhcp snooping information Disables the switch adding option82 in the DHCP
option request packets.
c9300-1 (config)# ntp authenticate Enables or disables the NTP authentication feature.
NTP authentication is disabled by default
c9300-1 (config)# ntp master 1 Configures the switch as an NTP source (used for ISE)
c9300-1 (config)# ntp server 198.18.133.1 prefer Configures the NTP source as the AD server and
source gi1/0/48 specifies your gi1/0/48 interface as the source

Configuring AAA and 802.1X


c9300-1 (config)# aaa new-model Enables AAA globally
c9300-1 (config)# dot1x system-auth-control Globally enables 802.1X port-based authentication
c9300-1 (config)# device-tracking policy AAA Creates a device tracking policy called AAA (Device
tracking is needed for dACL assignment).
c9300-1 (config-device-tracking)# tracking enable Enables device tacking for our newly created AAA policy
c9300-1 (config-device-tracking)# exit Exit

AAA for Radius


c9300-1 (config)# aaa group server radius Defines the AAA server-group with a group name
ISE_RADIUS
c9300-1 (config-sg-radius)# server name Defines the AAA server in which to be used (referenced
ISE_RADIUS later in the config)
c9300-1 (config-sg-radius)# exit Exit
c9300-1 (config)# aaa server radius Enters dynamic authorization local server configuration
dynamic-author mode and specifies a RADIUS client from which a device
accepts Change of Authorization (CoA) and disconnect
requests.
c9300-1 (config-locsvr-da-radius)# client Configures the RADIUS server ip and key to be shared
198.18.133.28 server-key C1sco12345 between a device and RADIUS clients
c9300-1 (config-locsvr-da-radius)# auth-type any Specifies the type of authorization that the device must
use for RADIUS clients. The client must match the
configured attributes for authorization.
c9300-1 (config-locsvr-da-radius)# exit Exit
c9300-1 (config)# radius server ISE_RADIUS Specifies "ISE_RADIUS" as the radius server name.
c9300-1 (config-radius-server)# address ipv4 Specifies the IP address as well as the default authorization
198.18.133.28 auth-port 1812 acct-port 1813 and accounting ports.
c9300-1 (config-radius-server)# pac key Specifies the PAC key (will need to match with ISE).
C1sco12345
c9300-1 (config-radius-server)# exit Exit
AAA for Radius
c9300-1 (config)# ip radius source-interface Specifies your upstream gi1/0/48 interface as the RADIUS
gi1/0/48 source interface.
c9300-1 (config)# aaa authentication dot1x Specifies that RADIUS servers are used for authentication
default group ISE_RADIUS on interfaces running IEEE 802.1X.
c9300-1 (config)# aaa authorization network Specifies the default authorization for all network-related
default group ISE_RADIUS service requests from RADIUS servers
c9300-1 (config)# aaa authorization auth-proxy Uses the auth-proxy keyword to enable authentication
default group ISE_RADIUS proxy for AAA methods.
c9300-1 (config)# aaa accounting auth-proxy Uses the auth-proxy keyword to set up the authorization
default start-stop group ISE_RADIUS policy as dynamic ACLs that can be downloaded. This
command activates authentication proxy accounting.
c9300-1 (config)# aaa accounting dot1x default Provides information about all IEEE 802.1x-related user
start-stop group ISE_RADIUS events. The start-stop keyword sends a "start" accounting
notice at the beginning of a process and a "stop" accounting
notice at the end of a process.

Configuring Trustsec
c9300-1 (config)# aaa authorization Specifies the CTS authorization list name for all network-related
network CTS group ISE_RADIUS service requests from RADIUS servers. Needed for Trustsec
(ALSO, DO NOT USE 'aaa authorization network default group
ISE_RADIUS ', it will not act right)
c9300-1 (config)# cts authorization list Specifies a list of authentication, authorization, and accounting
CTS (AAA) servers to use by the TrustSec seed device. Needed for
Trustsec (ALSO, DO NOT USE 'cts authorization list default', it
will not act right)
c9300-1 (config)# cts role-based Enables Cisco TrustSec SGACL policy enforcement on routed
enforcement interfaces.
c9300-1 (config)# cts role-based Enforces on your Vlan10
enforcement vlan-list 10
c9300-1 (config)# no cts server test all This is enabled by default and only shows up in the "show run all"
enable The server test being enabled sends heartbeat messages to ISE
and does not pass a username so ISE sees these radius messages
flooding the Radius Live Logs and keeps dropping these messages.
c9300-1 (config)# exit Exit back to enable mode
c9300-1 # cts credentials id c9300-1 Sets the switch up for use when communication with other Cisco
password 12345678 TrustSec devices (ISE)

Configuration for Interfaces and VLANs


c9300-1# configure terminal Enter config mode
c9300-1 (config)# interface GigabitEthernet1/0/1 Enter interface configuration for G1/0/1
c9300-1 (config-if)# description ISE dot1x Port Description
Configuration for Interfaces and VLANs
c9300-1 (config-if)# switchport access vlan 10 Initial access to vlan 10to reach ISE & DHCP Server.
c9300-1 (config-if)# switchport mode access Configures this as an access port.
c9300-1 (config-if)# device-tracking attach-policy Attaches the previouslyconfigured device tracking policy
AAA 'AAA' to the port.
c9300-1 (config-if)# ip dhcp relay information Allows the DHCP communication to happen.
trusted
c9300-1 (config-if)# ip access-group Specefies the default ACL applied to this port before ISE's
ACL_DEFAULT in DACL or SGACL.
c9300-1 (config-if)# authentication host-mode Allows multiple hosts to a single 802.1X-enabled port.
multi-auth
c9300-1 (config-if)# authentication open Enables pre-authentication on the port.
c9300-1 (config-if)# authentication order dot1x Specifies the order in which authentication is done (dot1x,
mab, webauth).
c9300-1 (config-if)# authentication priority dot1x Specifies the priority in which authentication is done
(dot1x, mab, webauth)
c9300-1 (config-if)# authentication port-control Enables authentication on the port.
auto
c9300-1 (config-if)# authentication periodic Enables periodic reauthentication of the client, which is
disabled by default.
c9300-1 (config-if)# authentication violation Configures the disposition of the port if a security
restrict violation occurs. The default action is to shut down the
port. If the restrict keyword is configured, the port does
not shut down.
c9300-1 (config-if)# dot1x pae authenticator Enables 802.1X authentication on the port with default
parameters.
c9300-1 (config-if)# spanning-tree bpduguard Spanning tree shuts down PortFast-configured interfaces
enable that receive BPDUs instead of putting them into the
spanning tree blocking state.
c9300-1 (config)# interface Vlan10 Enter interface configuration for Vlan X (X being your
Pod #).
c9300-1 (config-if)# ip helper-address Configure DNS server (X being your Pod #).
198.18.133.1

Configure Default ACL


c9300-1 (config)# ip access-list extended ACL_DEFAULT Makes an ACL with the name of
"ACL_DEFAULT."
c9300-1 (config-ext-nacl)# permit udp any eq bootpc any eq Allow DHCP traffic.
bootps
c9300-1 (config-ext-nacl)# permit udp any any eq domain Allow DNS traffic.
Configure Default ACL
c9300-1 (config-ext-nacl)# permit icmp any any Allow Ping.
c9300-1 (config-ext-nacl)# deny ip any any Deny everything else.
Configure NAD (Network Access Device)
in ISE – [From the wkst1 device
Configure NAD (Network Access Device) in ISE –[Fromthe wkst1device]
Procedure

Step1 Open or re-open your Remote Desktop session your JUMPHOST (wkst1)
Step2 Open Firefox and go to https://198.18.133.28.
Step3 Log in with username admin password C1sco12345.
Step 4 Select Provide later and click Next.
Example:

Step 5 Click Accept and close.


Example:
Step 6 Click the menu icon, select Administration > Network Resources > Network Device Groups, and then
click + Add.
Example:

Step 7 For Name and Description, enter Switches. For Parent Group, select All Device Types. Click Save.
Example:
Step 8 In the top left navigation bar, click Network Devices, and click + Add.
Example:
Step 9 Enter the required information.

Name c9300-1
The name must exactly match the switch hostname.

IP Address 198.19.1.2 /32


Device Type Switches

Step 10 Select the check box next to RADIUS Authentication Settings. For Shared Secret, enter C1sco12345.
Example:
Step 11 Select the check box next to the Advanced TrustSec Setting.
a) Select Use Device ID for TrustSec Identification.
b) For Password, enter 12345678.
c) Select Send Configuration Changes to Device, and then select Using CoA.
d) For Send From, select ISE.
e) Select Device Configuration Deployment.
f) For EXEC Mode Username, enter admin.
g) For EXEC Mode Password, enter C1sco12345.
h) For Enable Mode Password, enter C1sco12345.
Example:

Step 12 Click Submit.


Configure AD External Identity Store
Configure AD ExternalIdentity Store
Procedure

Step 1 Click the menu icon and select Administration > Identity Management > External Identity Sources. Click
Active Directory, and then click + Add.
Example:

Step 2 For both Join Point Name and Active Directory Name, enter dcloud.cisco.com. Click Submit.
Example:

Step 3 When asked, Would you like to join all ISE nodes to this Active Directory
Domain?, click Yes.
Step 4 Use join credentials admin/C1sco12345 and the join should succeed.
Example:

Step 5 Click Close. Click the Groups tab, click + Add, and then select Select Groups from Directory.
Example:
Step 6 Click Retrieve Groups, add the following SIDs, and then click Save.
Example:
Create the ISE policy set
Create theISE policy set
Procedure

Step 1 Click the menu icon and select Policy > Policy Sets.
Step 2 Under Policy Sets, click the + next to Status. Change New Policy Set 1 so both Policy Set Name and
Description are Wired-802.1x.
Example:
Step 3 Under Conditions, click the +. Under Editor click Click to add an attribute.
Step 4 In the attribute pane, select the network device icon and device type.
Example:

Step 5 Set the comparator to Equals and the condition to All Device Types#Switches.
Example:

Step 6 Click Use at the bottom.


Step 7 Under the column Allowed Protocols / Server Sequence, select Default Network Access.
Note In ISE under Policy > Policy elements > Results > Authentication > Allowed protocols, you can
tune which user authentication protocols you want to allow.

Step 8 Click Save.


Step 9 Click the > under View.
Example:

Step Click the > next to Authentication Policy.


10 After the pane expands, click the + to create Authentication Rule 1.
Step 11 a) Change Rule Name to Wired-802.1X-Users.
b) Set Conditions to DEVICE:Device Type EQUALS All Device Types#Switches.
c) For Use, select dcloud.cisco.com.
Example:

Step 12 Click the > next to Authorization Policy (not -Local Exceptions or -Global Exceptions).
Note Time for some fun! We are going to make 3 authorization polices for Government, Contractor,
and Guest. The authorization polices are based off stipulations from secdemo.net access policy.
This is advanced and includes how they connect, implements a dACL, applies a security group and
enforces security group ACL.

Step 13 After the pane expands, click the + and the first rule policy elements as such:

Rule Name Government Authorization


Conditions :DEVICE:Device Type EQUALS All Device Types#Switches
AND (Click on NEW)
dcloud.cisco.com:ExternalGroups EQUALS dcloud.cisco.com/Users/Government
Employees

Example:
Step Click USE.
14 Under Results Profiles, click the + and select Create a New Authorization Profile.
Step 15 Example:

Step 16 Give this Standard Profile the following values:

Name Government_Access
Description Government Access
Access Type ACCESS_ACCEPT
DACL Name PERMIT_ALL_IPV4_TRAFFIC
VLAN Tag ID: 10 ID/Name: 10
Note Click Edit Tag to change Tag ID.

Example:
Step 17 After saving the Government Authorization Profile, be sure to select it under Results Profiles.
Example:
Step Under Results Security Groups click the + and select Create a New Security Groups.
18 Give this security group the following values and then click Submit.
Step 19
Name Government_Employees
Icon (Person)
Description Government Employees

Example:
Step 20 After saving the Government Authorization Profile, be sure to select it under Results Security Groups, and
then click Save.
Example:

Step 21 Now we will create the Contractor policy. Click the + and create new rule policy elements:

Rule Name Contractor Authorization


Conditions DEVICE:Device Type EQUALS All Device Types#Switches
AND (click on NEW)
dcloud.cisco.com:ExternalGroups EQUALS dcloud.cisco.com/Users/Contractors

Example:

Step Click Use.


22 Under Results Profiles, click the + and select Create a New Authorization Profile.
Step 23 Example:
Step 24 Give this standard profile the following values:

Name Contractor_Access
Description Contractor Access
Access Type ACCESS_ACCEPT
DACL Name PERMIT_ALL_IPV4_TRAFFIC
VLAN Tag ID: 10 ID/Name: 10
Note Click Edit Tag to change Tag ID.

Step After saving the Contractor Authorization Profile be sure to select it under Results Profiles.
25 Under Results Security Groups, click Select from list and select the built-in Contractors group. Click Save.
Step 26 Note This is what your final rule should look like.

Step 27 Now we will create the Guest policy. Click the + and create new rule policy elements as such:

Rule Name Guest Authorization


Conditions DEVICE:Device Type EQUALS All Device Types#Switches
AND (click on NEW)
dcloud.cisco.com:ExternalGroups EQUALS dcloud.cisco.com/Users/Domain
Guests

Example:
Step Click Use.
28 Under Results Profiles, click the + and select Create a New Authorization Profile.
Step 29 Example:

Step 30 Give this standard profile the following values:


Name Guest_Access
Description Guest_Access
Access Type ACCESS_ACCEPT
DACL Name PERMIT_ALL_IPV4_TRAFFIC
VLAN Tag ID: 10 ID/Name: 10
Click Edit Tag to change Tag ID.

Step After saving the Guest Authorization Profile, be sure to select it under Results Profiles.
31 Under Results Security Groups, click Select from list, and then select the built-in Guests group.
Step 32 Example:

Step 33 Click and drag on the left side to organize your rules in the following order:
Example:

Step 34 Click Save.

The Authorization and Authentication rules are now complete. Next let's dive into building and implementing
Security Group Access Control Lists (SGACL).
Authorize the Switch for TrustSec
Enforcement

Configure New Security Group and Assign


IP Security Group Tag (SGT) Static Mapping
Step 1 In ISE, click the menu icon in the top left and select Work Centers > TrustSec > TrustSec Policy. Select
Network Device Authorization on the left.
Step 2 Click the dropdown on the right hand side next to Edit and select Insert new row above.
Example:

Step 3 Name the new rule and select the other fields as follows:

Rule Name TrustSec Device Authorization


Conditions DEVICE: Device Type equals All Device Types#Switches
Security Group TrustSec_Devices

Example:

Step 4 Click Done to the right of the row and then click Save.
Configure NewSecurity GroupandAssign IPSecurity GroupTag(SGT)Static
Mapping
Procedure

Step 1 Click the Components tab at the top, and then select Work Centers > TrustSec > Components > Security
Group.
Step 2 Click + Add and name the new security group TopSecret_and_ClassifiedDocs_Svr.
Example:
Step3 Select database and then click Submit at the bottom of the page
Step4 Click IP SGT Static Mapping on the left.
Step 5 Click + Add and fill in the following:

IP address 198.18.133.1 (Press ENTER to record it.)


SGT TopSecret_and_ClassifiedDocs_Svr
Deploy to Devices All TrustSec Devices

Example:

Step 6 Click Save at the bottom.


Step 7 Click the Components tab again at the top, click IP SGT Static Mapping, click Deploy, click Apply, and
then click OK.
Example:
Configure and apply security group ACLs
(SGACL)
Configure and applysecuritygroup ACLs (SGACL)
Here is where the magic and real enforcement happens.

Procedure

Step 1 Click Security Group ACLs on the left.


Step 2 Click + Add and enter the following information for the new security group ACL:

Name Block_TopSecret_Docs
IP Version IPv4
Security Group ACL content deny tcp dst eq 8080
permit ip

Example:
Step 3 Click Submit.
Step 4 Click + Add to add another SGACL.

Name Block_TS_and_ClassifiedDocs
IP Version IPv4
Security Group ACL content deny tcp dst eq 8080
deny tcp dst eq 8081
permit ip

Example:
Step 5 Click Submit.
Step 6 Select the check boxes for both SCACLs, click Push, and then click OK.
Example:
Step 7 At the top, select TrustSec Policy > Matrix.
The default rule (shown at the bottom of the page) tells us, by default, the applied SGACL is Permit IP. We
want to prohibit Contractors from reaching Top_Secret information and Guests from reaching Top_Secret
and Classified_Docs.

Step 8 Find the Contractors row and the TopSecret_And_Classified_Docs_Svr column.


Example:
Step 9 Click this cell to edit it. Select Block_TopSecret_Docs.
Example:
Step Select Save.
10 Back on the matrix, find the Guests row and the TopSecret_And_Classified_Docs_Server column.
Step Click this cell to edit it. Select Block_TS_and_ClassifiedDocs.
11 Example:
Step 12
Step 13 Select Save.
Your result should look similar to this:
Step 14 Click Deploy as highlighted in the image above.
This pushes these policies out to the TrustSec Devices per the TrustSec Device Authorization we built
earlier.

Step 15 You may see a notification in the top-right corner. If so, click Push to the devices.
Example:
Let's see it in action!
Procedure
Step 1 Log into the switch so we can run some commands to verify and see the enforcement. RDP to the Jump Host
(wkst1) if not already in there. Then click mRemoteNG on the taskbar.
Example:
Step 2 Select the 9300 Switch and login with C1sco12345.
Step 3 Type Enable, then enter the password C1sco12345 again. Run the following commands:
a) cts refresh environment-data
b) show cts environment-data
This shows the SGTs that have been pushed down to the switch.
Example:

c) Show cts rbacl


This verifies and shows the SGACLs that were written in ISE and should look something like the example
below. If they are not showing up, repeat the Configure New Security Group and Assign IP Security
Group Tag (SGT) Static Mapping task.
Example:
Step 4 Back in ISE, click the menu icon in the top left and select Operations > Radius > Live Logs.
You should now see the Authorization process that the switch had gone through successfully (may not be the
exact number of events but something along these lines).

Feel free to click on the hour glass to dig into each event to see what was going on.

Step 5 Connect to the Client1 machine using VM Console. Select Other User and log in using the credentials below.

Username government1
Password C1sco12345
Example:

Step 6 Open the SX Virtual Link and connect to the USB NIC going to the c9300 switch.
Example:
Step 7 After you connect the NIC, open control panel and go to Network and Internet > Network and Sharing
Center > Change adapter settings.
Example:
Step 8 Right-click on the newly added NIC and select Properties.
Example:

Step 9 Enter the credentials admin/C1sco12345.


Example:
Step 10 Click the Authentication tab, click Settings, clear the first check box, and then click OK.
Example:
Step 11 On the Authentication tab, click Additional Settings.
Example:
Step 12 Select Specify authentication mode. Select User authentication, click Save credentials, and then add the
same credentials used to log into the client of government1/ C1sco12345. Click OK on all windows to
save the settings.
Example:
Note Wait at least 15 seconds for the authentication to finish once you connect the NIC in the client.
Step Back in ISE, select Operations > Radius > Radius Live Logs.
13 Open Chrome and clear the browsing history.
Step 14 a) Click on the three dots in the top right, expand History, and then click History.
Example:

Step 15 Click the top three bars in the top left corner and select Clear browsing data.
Example:
Step 16 Set Time range to All time and then click Clear data.
Example:
Step 17 Now visit each site shown below. You should have access to all three when signed in as Government1.
a) www.topsecretdocs.com:8080 Top Secret Documents/Files
b) www.classifieddocs.com:8081 Classified Documents/Files
c) www.internetonly.com:8082 Internet access only
Step 18 Sign out and sign back in as contractor1/C1sco12345. Repeat this task starting with step 6, adding
authentication credentials and clearing cache and try these sites again.
Notice how the enforcement is taking place to where the Government user had access to everything, the
Contractor should only be able to access the Classified and Internet sites.

Step 19 Sign out and sign back in as guest1/C1sco12345. Repeat this task starting with step 6, adding authentication
credentials and clearing cache and try these sites again.
You should only have internet access.
TACACS+ - Restricting Switch Commands
and Differentiated Access
TACACS+- Restricting Switch CommandsandDifferentiated
Access
Recall Cisco made TACACS+ and it’s widely used in the industry to separate the various networking personas
(admin, guest, contractor etc.) and their respective CLI commands they can issue on specific network-nodes.
TACACS+ separates authentication and authorization.

Procedure

Step 1 Configure the c9300-1 Catalyst switch for TACACS+.

AAA for TACACS+


c9300-1(config)# aaa group server tacacs+ Defines the AAA server-group with a group name
ISE_TACACS
c9300-1(config-sg-tacacs+)# server name Defines the AAA server in which to be used (referenced
ISE_TACACS later in the config)
c9300-1(config-sg-tacacs+)# exit Exit
c9300-1(config)# tacacs server ISE_TACACS Specifies ISE_TACACS as the tacacs server name
c9300-1(config-server-tacacs)# address ipv4 Specifies the IP address if ISE
198.18.133.28
c9300-1(config-server-tacacs)# key C1sco12345 Specifies the key (will need to match with ISE)
c9300-1(config-server-tacacs)# exit Exit
c9300-1(config)# ip tacacs source-interface Specifies gig1/0/48 as the source for TACACS.
gigabitEthernet 1/0/48
c9300-1(config)# aaa authentication login default Creates a login authentication method list. The word
group ISE_TACACS local default specifies this is the default method to be used and
applies to all ports. ISE_TACACS is the group name and
if the server is unavailable, we fall back to local
credentials.
c9300-1(config)#aaa authentication enable default Similar to above but refers to "enable" to get into Priv
group ISE_TACACS enable mode
c9300-1(config)# aaa authorization exec default Configures the switch for user TACACS+ authorization
group ISE_TACACS local if-authenticated if the user has privileged EXEC access.
c9300-1(config)# aaa authorization console ***(Please don’t do this in this lab, just an FYI)***
Enables TACACS+ authorization enforcement on the
console
c9300-1(config)# aaa authorization commands 1 Specifies that TACACS+ authorization is run for level
default group ISE_TACACS local if-authenticated 1 commands
c9300-1(config)# aaa authorization commands 15 Specifies that TACACS+ authorization is run for level
default group ISE_TACACS local if-authenticated 15 commands
AAA for TACACS+
c9300-1(config)# aaa accounting exec default Enable accounting for all network-related service requests
start-stop group ISE_TACACS and list the default method to use for all start-stop
accounting services.
c9300-1(config)# aaa accounting commands 1 Defines a default commands accounting method list,
default start-stop group ISE_TACACS where accounting services are provided by a TACACS+
security server, set for privilege level 1 commands with
a stop-only restriction.
c9300-1(config)# aaa accounting commands 15 Defines a default commands accounting method list,
default start-stop group ISE_TACACS where accounting services are provided by a TACACS+
security server, set for privilege level 15 commands with
a stop-only restriction.

Step2 Go back into the ISE UI and navigate to Administration > System > Deployment.
Step3 Select ISE, and then click Edit.
Step 4 Under Policy Service, select Enable Device Admin Service.
Example:

This setting enables TACACS+ feature.


Step5 Click Save.
Step6 Navigate to Administration > Network Resources > Network Devices.
Step7 Select c9300-1, and then click Edit.
Step 8 Scroll down and select TACACS Authentication Settings. For Shared Secret, enter C1sco12345.
Example:
Step 9 Click Save at the bottom of the page.
Step 10 Navigate to Work Centers > Device Administration > Policy Elements > Results, and then click TACACS
Profiles.
Step 11 Click + Add and create your first TACACS profile with the following elements.

Name Network_Admin
Default Privilege 15
Maximum Privilege 15

Step 12 Click Submit.


Create a second TACACS profile for a
non-admin account

Build the TACACS Command Sets for


both Network_Admin and Network-
Viewer accounts
Create a second TACACS profile for a non-adminaccount
Procedure

Step 1 Click + Add and create your second TACACS profile with the following elements:

Name Network_Viewer
Default Privilege 1
Maximum Privilege 15

Step 2 Click Submit.


Example:
Build the TACACS CommandSets for bothNetwork_Adminand
Network-Viewer accounts
Procedure

Step 1 Select TACACS Command Sets on the left and click + Add. For Name, enter Allow All Commands.
Select Permit any command that is not listed below.
Step 2 Click Submit.
Step 3 Click + Add to create the Network_Viewer command set.
a) For Name, enter Allow Show Commands Only.
b) Under the Commands pane click + Add.
c) For Grant, select Permit.
d) For Command, enter show*.
e) Click the check mark icon at the right of the row and then click Submit.
Build your TACACS+policy set
Procedure

Step 1 Click the Device Admin Policy Sets tab at the top

Step 2 Click

to create a policy.
a) for Policy Set Name, enter IOS Devices.
b) Under Conditions, click the plus sign and create a condition that matches DEVICE Device Type
EQUALS All Device Types#Switches. Click Save.
Example:
Step 3 Click Use.
Step 4 For Allowed Protocols/Server Sequence, select Default Device Admin.
Example:

Step 5 Click Save.


Step 6 Click > to the right of the new rule, then click > again by Authentication Policy.
a) Keep Rule Name set to Default.
b) Under USE, select dcloud.cisco.com as your identity store.
Step7 Click > by Authorization Policy, and then click the plus sign.
Step8 For Rule Name, enter Network Admins.
Step 9 Under Conditions, click the plus sign.
a) For Editor, select

.
b) Create a condition that matches dcloud.cisco.com:ExternalGroups EQUALS
dcloud.cisco.com/Builtin/Network Configuration Operators.
Example:

c) Click Save.
Step Click Use.
10 Under Results, for Commands Sets select Allow All Commands, and for Shell Profiles select
Step 11 Network_Admin.
Example:

Step 12 While still under Authorization Policy Local Exceptions, click the plus sign to create your non-admin user
catch all rule.
a) For Rule Name, enter Network_Viewer.
b) Under Conditions, click the plus sign.
c) For Editor, select

.
d) Create a condition that matches dcloud.cisco.com:ExternalGroups EQUALS
dcloud.cisco.com/users/Contractors
e) Select OR on the left pane.
f) Create a second condition that matches dcloud.cisco.com:ExternalGroups EQUALS
dcloud.cisco.com/users/Government Employees
Example:

Step Click Use.


13 Under Results, for Commands Sets select Allow Show Commands Only, and for Shell Profiles select
Step 14 Network_Viewer.
Example:
Step Click Save.
15 From the Jump Host, use Putty to connect to the Switch using the different users and observe the access results.
Step 16
Username Password

administrator C1sco12345

government1 C1sco12345

contractor1 C1sco12345

Try these commands for each user and see what is and is not allowed.
• Enable (Remember that the enable password is now the same as the password for that user.)
• Show run or Show ip int br
• Configure Terminal and try different commands

Step 17 Return to ISE and go to Operations > TACACS > Live Logs and you will see each user login and associated
commands performed.
Thanks ☺

You might also like