Lab 17: TACACS+ Device Administration
Lab 17: TACACS+ Device Administration
Lab 17: TACACS+ Device Administration
Lab Overview
Device administration in ISE involves controlling network administrator access to network devices. Network
administrators often have different levels of access to different network equipment, depending on their role.
Most organizations prefer to centralize the control and maintenance of this function. The TACACS+ function of
Cisco ISE enables this central control. Through TACACS Live Logs and reports, ISE provides centralized monitoring,
reporting and troubleshooting of an organization′s network administration. In this lab, you will configure ISE for
basic Device Administration of IOS devices.
You will begin by configuring the policy elements required for network device administration. These policy
elements will then be used in the basic authentication and authorization policies, which you will create. Of course,
each Network Access Device (NAD) must be configured to support TACACS+, and so you must configure the
required AAA commands to fulfill this need. You will then log in with different users to validate both your
authentication policies and your authorization policies. You will have granular control of not only who can access
your network devices, but also what they can do.
Lab Procedures
• Configure TACACS+ Privilege Levels
If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5 day course), you will need to prepare or verify the
environment. Perform the following:
Access the module in the lab guide titled Post Reset and follow the directions there.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 2 of 12
1.1. Access the Admin-PC, open Firefox, and use the ISE bookmark to log on as admin/admin$Pwd.
1.2. Navigate to Administration > System> Deployment. Edit the ISE node by clicking ise. Under General
Settings, enable the Device Admin Service.
2.1. Navigate to Administration > Network Resources > Network Device Groups. Expand Groups, verify that
the Wired Device Group is an available Device Type and that HQ is an available Device Location as shown
below:
Note: ISE provides powerful device grouping similar to ACS 5.x, in the form of multiple device group hierarchies.
Each hierarchy can represent a separate and independent classification of network devices. For example, two
very common ways to classify devices are by device type and location. By default, ISE provides device type and
location hierarchies and additional Network Device Groups can be added.
3.1. Navigate to Work Centers > Device Administration > Network Resources. Choose Network Devices and
validate that the device L3-Switch has been created. If not, create it, based on the screen shot below.
Ensure that the device Type is set to Wired, which you just created, and the Location is set to HQ.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 3 of 12
3.2. For this L3-Switch, scroll down and configure TACACS settings, as follows.
Attribute Value
4.1. Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles. You will
add two different TACACS profiles with different privilege levels.
Attribute Value
Name Privilege_Level_1
Default Privilege 1
Maximum Privilege 1
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 4 of 12
Attribute Value
Name Privilege_Level_15
Default Privilege 1
Maximum Privilege 15
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 5 of 12
5.1. Navigate to Administration > Identity Management > Identity Source Sequences.
Attribute Value
Name TACACS_Sequence
Selected GKLABS
Internal Users
6.1. Navigate to Work Centers > Device Administration > Device Admin Policy Sets. You are about to create a
new policy set to handle Wired Network Devices at HQ.
6.2. In the left pane, click the Default policy set, then click the Plus icon and choose Create Above as shown
below.
6.3. Near the top, double-click Enter Policy Name. Name the Policy Wired HQ Devices.
6.4. In the Conditions box, click the + (plus) icon and choose Create new Condition (Advance Option).
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 6 of 12
6.5. Choose DEVICE:Device Type EQUALS Device Type#All Device Types#Wired AND DEVICE:Location EQUALS
Location#All Locations#HQ check your work against the example below.
6.7. Modify the Authentication Policy Default Rule to use the TACACS identity source sequence as show below.
6.9. Next, configure the Authorization Policy. To start, click the black down arrow at the end of the
Tacacs_Default policy and choose Insert New Rule Above. Configure this new rule as follows.
Attribute Value
Name IT Authorization
6.10. Click Done and check your work against the example below.
6.11. Now add a policy for employees. Start by clicking the black down arrow at the end of the new IT
Authorization rule and choose Insert New Rule Below. Configure this new rule as follows.
Attribute Value
6.12. Click Done and check your work against the example below.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 7 of 12
7.1. Using the Topology Diagram, access the console of the L3-Switch. The admin/admin$Pwd is configured as
a local account on the switch and the enable secret is san-fran.
Note: It is important to use the actual physical console of the L3-Switch as you are about to modify how the tty
lines are authenticated while leaving the console port alone. The user account admin (in active directory) is not a
member of the IT group. As such, admin will not have much access to IOS commands via tty. This is consistent
with many production networks where device admins are not necessarily the same as domain admins.
Tip: There is a file on the Admin-PC at Desktop\ISE\L3-Switch\TACACS AuthC.txt. You can copy and paste the
commands from there if you prefer.
Do NOT save the changes to startup-config as you will reload the switch at the end of the lab in preparation for
the next lab.
conf t
line vty 0 4
login authentication MyTplus
authorization exec MyTplus
exit
7.3. To test various users, return to your Admin-PC and use SecureCRT to open a CLI session to L3-Switch.
Note: In SecureCRT, use the session for 10.10.2.1 to allow testing of different accounts as that session has not
been preconfigured with any credentials. DO NOT save credentials for this session.
7.5. Type enable to get higher privilege. When prompted for a password, enter gklabs. This authentication fails,
according to the policy you created.
L3-Switch>enable
Password: gklabs
% Error in authentication.
7.6. Open another CLI session and log in using credentials it1/gklabs. This should succeed.
7.7. Type enable to get higher privilege. When prompted for a password, enter gklabs. This authentication
succeeds, according to the policy you created.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 8 of 12
L3-Switch>enable
Password: gklabs
L3-Switch#
L3-Switch#show priv
Current privilege level is 15
L3-Switch
7.8. Enter the show privilege command to verify your privilege level is 15.
7.9. In ISE, navigate to Operations > TACACS > Live Logs to see the authentication and authorization
information. You should see live logs similar to the example shown below.
7.10. For the failed employee entry, click the Details icon, as shown above. You can analyze the details of each
session. Some of the more pertinent information includes the Authentication details, as shown below.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 9 of 12
In this exercise, you will configure TACACS+ command authorization and bind these commands to a device
administration policy. Privilege-level authorization associates commands with privilege levels, per network device.
ISE can then apply the default and maximum privilege level to a user upon logging in. Privilege level authorization
requires each device be configured with privilege levels and command sets (overriding the default privilege levels).
TACACS+ command authorization centralizes the administration of commands to be allowed or denied. When
TACACS+ command authorization is enabled, each command that is entered on a device is authorized against the
TACACS+ service.
You will begin this task by configuring TACACS Command sets. Then you will modify the authorization policy to use
these command sets. You will modify the switch configuration to support command authorization, and then test
the various users to check their access levels.
8.1. Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets.
You are about to create two command sets: one with full access and one with limited access to a specific
set of commands.
8.2. Click Add to create a new command set and configure as follows.
Attribute Value
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 10 of 12
8.4. Click Add to create a new command set and configure as follows.
Attribute Value
Note: Click the Add button to add each command. After entering each command, make sure to click the
checkmark at the end of the line to save the command. See example below.
8.5. Validate your work against the example shown above, then click Submit.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 11 of 12
9.2. Modify the rule named Employee Authorization to include the command set Limited Commands, and
change the shell Profile to Privilege_Level_15.
Note: Although the employees now have access to privilege level 15, they are limited to the commands specified
in the assigned command set.
9.4. Now modify the rule named IT Authorization to include the command set Permit All Commands, and leave
the Shell Profile at Privilege_Level_15.
9.5. Check your work against the example shown below, then scroll down and click Save.
9.6. To configure switch, access the L3-Switch switch console from the Network Topology Diagram.
9.7. Enter the following commands to enforce command authorization via TACACS+.
Do NOT save the changes to startup-config as you will reload the switch at the end of the lab in preparation for
the next lab.
conf t
line vty 0 4
authorization commands 1 MyTplus
authorization commands 15 MyTplus
end
9.8. Back on the Admin-PC, close all SecureCRT sessions and then open another SecureCRT to L3-Switch.
Note: This succeeds now because you modified the authorization policy to apply the Privilege_level_15 shell
profile.
9.11. Execute the following commands and observe which commands pass and fail.
◾ show privilege
◾ show running-config
◾ configure terminal
◾ ping 10.10.1.25
◾ show interface
9.12. Check the Operations > TACACS Livelogs to see the information for command passes and failures. Click a
Details icon if you would like to see more information about any failures.
9.13.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
Page 12 of 12
Open another SecureCRT session to the L3-Switch and log in using the credentials it1/gklabs. This should
succeed.
9.14. Type enable to gain a higher privilege level. Use gklabs as the enable password. This should succeed, as it
did in the previous lab.
9.15. Execute the same commands as you did for the employee account. You should see that it1 can execute all
the commands.
10.1. Navigate to Administration > System> Deployment. Edit the ISE node by clicking ise. Under General
Settings, disable (clear) the Device Admin Service.
10.3. Access the console of the L3-Switch and reload without saving.
Note: This will put the L3-Switch back to its original configuration. If you have saved the switch configuration
during this lab, you will need to reset to the next lab or apply the commands in the file on the Admin-PC at
Desktop\ISE\L3-Switch\Remove TACACS.txt
Lab Complete
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017