The Cisco Identity Services Engine, Cisco ISE, is a robust platform for access control policy and enforcement. The platform supports the TACACS+ protocol, allowing detailed audits across your network environment. You have the option of configuring your network devices to submit authentication and authorization requests to the ISE server.
The architecture developed by Cisco is one of a kind, and it gives businesses the ability to collect information in real-time from people, networks, and devices. After gathering this information, the administrator can utilize it to make proactive governance decisions by connecting identities with a variety of network devices such as wireless LAN Controllers, VPN gateways, data center switches, access switches, and so on. The Cisco Security Group Solution relies on it as a fundamental building block.
In this article, our primary focus will be on the process of querying Cisco ISE by utilizing TACACS+. Controlling and auditing network devices with Cisco ISE and TACACS+.
What exactly is TACACS?
Terminal Access Controller Access Control System (TACACS) is a security protocol that offers centralized validation of users who are attempting to gain access to a router or a Network Attached Storage device. TACACS was developed by the Terminal Access Controller Access Control System (TACACS) consortium (NAS). TACACS+, a more recent version, offers three distinct services: authentication, authorization, and accounting.
Why Should I Use TACACS+ with the Cisco Identity Services Engine?
ISE provides support for the TACACS+ protocol, which enables enhanced control and auditing of the configurations of network devices. This paves the way for greater security. Configuring a network device to regulate Cisco Identity Services Engine (ISE) inquiries for authentication and authorization makes it possible to exert some degree of command over the operations of a network administrator. In addition, for accounting and auditing procedures, the network device sends information to Cisco ISE about each session, as well as command operations. This information is sent to Cisco ISE.
Integrate TACACS+ with the devices that are already part of the network. ISE administrators can add network devices by making use of TACACS+ information from the ISE dashboard.
Combining Cisco ISE and TACACS+ has several benefits, one of which is the enhanced level of control it provides. ISE assists in the writing of regulations and the distribution of such regulations to the appropriate users. For example, you can add device admins as internal users and configure their enable passwords at the same time. This is possible if you use the internal user feature. Accessing live logs and reports gives ISE administrators an extra auditing option for determining which users have executed which commands. They have access to this capability. Availability:
A Service for the Administration and Provisioning of Access to Devices an ISE administrator who is establishing a device administration access service can create rules that allow TACACS results, such as command sets and shell profiles, to be included as a component of an authorization policy rule. These rules can be used by the ISE administrator to establish a device administration access service.
How does a network device question Cisco ISE?
Cisco ISE Query
Control and auditing of the configuration of the network devices are carried out by the Cisco ISE administrator through the use of the device management features. TACACS can be utilized to configure a device such that it will query the Cisco ISE server. Reports about device administration are made available via the Cisco ISE monitoring node. The following jobs can be done:
- Configuration of devices linked to the network with TACACS
- Adding administrators of connected devices as internal users and configuring their credentials
- Develop policy sets for a device administration access service that enable TACACS results to be selected in authorization policy rules.
- Configuration of the TACACS server in Cisco ISE to allow the device administrators access to the devices by the policy settings
The administrator of the device will configure the system so that it can communicate with the Cisco ISE server. When the device administrator logs in to the device, the device sends a query to the ISE server. The ISE server then sends the query to an internal or external identity store to validate the details of the device administrator.
After validation is complete, the device notifies the Cisco ISE server of the conclusion of each session or command authorization activity for accounting and auditing. These functions are performed for security reasons.
TACACS Operational Capabilities Enablement
TACACS operations can be enabled by selecting the “Enable Device Admin Service” check box found on the “Administration > System > Deployment > General Settings” page. It is important to check that the option is active in every PSN that is part of a deployment.
Note that to use the TACACS service, Cisco ISE necessitates the purchase of a Device Administration License in place of an existing Base or Mobility License. The license for Device Administration is valid indefinitely.
Supposing the user has upgraded from an earlier release to Cisco ISE Release 2.0 or later and now wants to enable the TACACS service, what are the steps they need to take? In that situation, the license for Device Administration needs to be purchased as an additional add-on that is purchased separately. There must be at least one Device Administration License present for the ISE deployment as a whole.
Work Center for the Administration of Devices
Administrators of Cisco ISE can begin their work from a single location by navigating to the Work Center menu, which consists of all the device administration pages. Users, User Identity Groups, Network Devices, Default Network Devices, Network Device Groups, Authentication Authorization Conditions, and other non-device administration pages, such as Users, User Identity Groups, Network Devices, and Authentication and Authorization Conditions, can still be accessed through their original menu options. Other non-device administration pages, such as Users, User Identity Groups, Network Devices, Default Network Devices, Network Device Groups, and Authentication and Authorization Conditions,
Before the Work Centers option can be used, the appropriate TACACS license(s) must be obtained and installed, as this is the only requirement.
The Device Administration Menu gives users access to an Overview, Identities, User Identity Groups, Ext ID Stores, Network Resources, Network Device Groups, Policy Elements, Device Admin Policy Sets, Reports, and Settings. All of these features can be accessed by selecting the appropriate option.
Configuration Options for Device Administration and Deployment
The Device Administration Deployment page, which can be found under Work Centers > Device Administration > Overview > Deployment, gives Cisco ISE managers the ability to view the device administration system in a centralized manner. This eliminates the need for the managers to navigate to each deployment node individually.
On the tab titled “Device Administration Deployment,” the PSNs that are currently being deployed may be listed. This eliminates the need for you to perform the laborious task of making the device admin service in each PSN in your deployment more accessible. One can assist with the device admin service for a substantial number of PSNs all at once by selecting one of the following options:
The TACACS Ports field can accommodate up to four comma-separated TCP ports at a time, and port values can vary anywhere from 1 to 65535. You are responsible for preventing any other services from making use of the specified ports while Cisco ISE nodes and their interfaces are actively listening for TACACS+ requests on those ports. 49 is used as the default value for the TACACS+ port.
When one selects “Save” from the drop-down menu in the Administration > System > Deployment Listing box, the modifications are subsequently synchronized with the nodes that have been selected.
Policy Configurations for the Device Admin
A Regular policy set consists of two separate tables: an authentication rule table and an authorization rule table. The authentication rule table contains a collection of “outer” rules that are responsible for deciding which protocols are permitted.
Each “outer” rule is composed of additional “inner” rules, which are responsible for selecting the appropriate identity store. A set of rules for selecting the precise authorization results that are required to implement the authorization business model is contained within the authorization rule table.
The authorization procedure is governed by a shell profile, a collection of command sets, and one or more conditions that need to be satisfied before a rule can be triggered. In addition, every policy set has an authorized exceptions rule table, which can be consulted to make an exception to the rules in a certain circumstance; this table is utilized quite frequently for impromptu circumstances.
Using TACACS+, query Cisco ISE
After we have finished configuring the Cisco Identity Services Engine (ISE) and your network device, the next step is to query it using TACACS+. Any action taken by a specific network administrator, such as authorization or authentication, will immediately be queried by ISE. The Cisco Identity Services Engine (ISE) gives you access to a variety of logs and reports that detail information on authentication, authorization, and accounting for the devices that have been configured to use TACACS.
You can obtain a list of live logs to audit operations carried out on network devices by using the Cisco ISE server.
Proceed to the Live logs by going to Operations > TACACS. You can see additional information about each live log by clicking on it.
To view reports, navigate to the Work Centers menu and select the Reports option. You will be able to retrieve Device Administration Reports for TACACS Accounting, Authorization, and Authentication from this location.
Final Words
Before carrying out any operations on devices that are a part of the network, all the network devices that will be protected by Cisco ISE have had their configurations set up in such a way that they will first query ISE for authentication and authorization. This will happen before any of these operations are carried out.
To end, TACACS + is a practical tool that gives you the ability to query your Cisco ISE and obtain valuable information from it. We have high expectations that the methods that were discussed above will help you efficiently query Cisco ISE to locate the information that you seek.
FAQs
Is it possible to use TACACS+ with Cisco ISE?
Authentication, Authorization, and Accounting (AAA) and a profiler are combined into a single appliance through the use of ISE. Through the use of the Terminal Access Controller Access Control Solution (TACACS +), it offers a centralized management system for Device Administration within the AAA framework.
Regarding the TACACS+ AAA framework, how does Cisco ISE handle it?
All the network devices that will be protected by Cisco ISE have their configurations set up such that they will query ISE for authentication and authorization before performing any operations on devices that are part of the network. In terms of accounting, network devices are set up to send accounting messages to ISE to log the actions taken by such devices.
What are the key distinctions between the roles of a Device administrator and an administrator for Cisco ISE?
In the context of ISE, a device administrator is someone who logs into network devices (such as switches, routers, gateways, wireless access points, and so on) to configure and maintain those devices. On the other side, a Cisco ISE administrator is the person who connects to the Cisco ISE platform to control who among these device administrators can log in and how they do so.
