Our website relies on funding from our readers, and we may receive a commission when you make a purchase through the links on our site.

How to Query Cisco ISE Using TACACS

by John Cirelly - Last Updated: July 26, 2023

How to Query Cisco ISE Using TACACS

The Cisco Identity Services Engine, or Cisco ISO, is a powerful platform for network access control policy and enforcement. It supports the TACACS+ protocol, which makes it possible to perform detailed controls and audits on network configurations and devices. You have the option of configuring your network devices to submit authentication and authorization requests to the ISE server. Given the complexity of today’s networks and systems, not to mention the dispersed nature of businesses around the globe, security has emerged as one of the most pressing concerns for modern companies.

A combination of resources, policies, and platforms is required to successfully secure the network of an organization for the reasons stated above. One example of this kind of security policy management platform is Cisco ISE, which offers protected access to various network resources.

This article will provide a concise introduction to Cisco ISE as well as instructions on how to query Cisco ISE using TACACS.

Cisco ISE

Cisco ISE is a security platform that helps businesses streamline their services, control access to resources, increase the security of their infrastructure, gather contextual information from users and devices, and ensure compliance with prevalent security standards.

In addition to that, it offers assistance with the discovery, profiling, and monitoring of endpoint devices that are connected to the network. Additionally, it consolidates Authentication, Authorization, and Accounting (AAA) into a single platform. Last but not least, it is capable of running in standalone as well as distributed configurations, which implies that it may be used in any kind of business infrastructure.

TACACS

TACACS+, which stands for Terminal Access Controller Access Control Server, is a security protocol that may be used in the management of any AAA platform to deliver a centralized authentication method for users that wish to access a certain network.

This protocol was designed by Cisco, and it was constructed on top of TCP. Because of this, it communicates in an encrypted format using TCP port number 49 to send and receive packets. Its primary purpose is to facilitate communication between the ACS server and a device, and it can offer granular control over each transmission. Whenever it is necessary, it is also able to split apart the authentication, authorization, and accounting processes.

Why TACACS+ with Cisco Identity Services Engine?

The TACACS+ protocol is supported by ISE, which allows for improved management and auditing of the configurations of network devices. A network administrator’s actions can be controlled by configuring the network device to control Cisco Identity Services Engine (ISE) queries for authentication and permission. In addition, the network device transmits information to Cisco ISE about each session as well as command activities for the sake of accounting and auditing processes.

Integrate TACACS+ with existing network devices ISE administrators have the ability, from the ISE dashboard, to add network devices by using TACACS+ information. These details include the IP address and shared secret.

High standards of control and auditing One of the advantages of combining Cisco ISE and TACACS+ is the fine control it offers. ISE assists in drafting regulations and distributing them to the relevant users. You can add device admins as internal users, for instance, and configure their enable passwords at the same time. ISE administrators can additionally audit which users have used which commands by accessing live logs and reports. This capability is available to them.

The Administration and Access to Devices Service an ISE administrator who is establishing a device administration access service can create rules that allow TACACS results, such as command sets and shell profiles, to be included as a component of an authorization policy rule.

How to Perform Queries Using TACACS on Cisco ISE?

The following is an in-depth walkthrough that will teach you how to query Cisco ISE via TACACS+.

Check to see if you already have admin status as the first step, and if you don’t, make it a priority to obtain it before proceeding with the rest of the stages.

Activate the Work Center

Your centralized point of control is the Device Administration Work Center, which is only accessible to you if you have the TACACS+ software package installed. When you open up this program, you will notice that there are many menu options; however, the one that is most relevant to our purposes is Device Administration. The following choices are available to you via this menu.

TACACS+ configuration 

Utilize the Work Center to configure various components of the TACACS+ system.

Sets of Commands

The command sets shall serve as our jumping-off point. Two separate command sets need to be configured, and those are called PermitAllCommands and PermitShowCommands respectively. First, let’s set up the PermitAllCommands command set so that it works properly.

  • Navigate to the TACACS Command Sets page by going to the Work Center > Device Administration > Policy Results > page. Create a new command set by clicking the Add button.
  • In this particular scenario, you need to give the command set a name. That name is PermitAllCommands.
  • Please ensure that the box next to “Permit any command that is not specified below” is checked.
  • Configuring the PermitShowCommands is the next step.

Navigate to the TACACS Command Sets page by going to the Work Center > Device Administration > Policy Results > page. Simply create a new command set by clicking the Add button.

  • In this particular scenario, you need to give the command set a name. That name is PermitShowCommands.
  • Do not click the option labeled “Permit any command not mentioned below”. Instead, leave it unchecked.
  • Scroll down until you find where it says “+Add,” then click on that.
  • Allow the Show and Exit instructions to take effect. If there are no arguments listed, this indicates that all of the arguments will be used. In general, you should keep this field empty unless you want to restrict access to certain parameters.
  • To finish, click the “Submit” button.

After you have completed the previous stage of configuring the command sets, the following step is to configure the profile.

Profile

To accomplish this, navigate to the TACACS Profiles section of Work Centers after selecting Device Administration > Policy Results > TACACS Profiles. After clicking the Add link, a new window will pop up where you may give your TACACS+ profile a name.

Mark the box labeled “Default Privilege” and enter the value 15 into it. To finish, just hit the submit button. The device administrator is granted specific privileges in either of the two settings described above. In addition, given that it collaborates with network configurations, the likelihood of malicious configurations being used will be greatly decreased given that it works in tandem with them.

Authentication

In addition to that, you have the option of configuring a permission and authentication policy. All of the users in the Active Directory are pointed to by default by the authentication policy. The steps necessary to configure the authentication settings for a network device are outlined in this article.

  1. To configure your TACACS authentication settings for network devices, go to Work Centers > Device Administration > Network Resources > Network Devices > Add > TACACS Authentication Settings.
  2. When configuring TACACS Authentication Settings for all other devices, on the other hand, go to Work Centers > Device Administration > Network Resources > Default Devices > TACACS Authentication Settings.

Protocols

The next thing you need to do is configure the protocols in the device administration protocols. Check that the device is set up for both FIPS and non-FIPS modes by navigating to Work Centers > Device Administration > Policy Elements > Results > Allowed Protocols. When FIPS mode is active, you will be the only one able to use the Default Device Admin settings.

Configure Cisco ISE

Once you’re done configuring TACACS+, go to configure Cisco ISE. The steps necessary to configure this setting are as follows.

  • Create a local user on Cisco ISE who has complete control over the system.
  • Make a new model, call it TACACS, and add it to the ISE GROUP, please.
  • Use the test command to determine whether or not the server is available. To begin, you have to ensure that you receive a notification indicating that the user was successfully authorized. This demonstrates that the server is accessible at the moment.
  • Ensure that the necessary logins are configured.

If errors occur, go to Operations > TACACS Livelog and right-click on the commands that were executed incorrectly. You will receive a wealth of information regarding the request type as a result of doing so.

Send a query to Cisco ISE

It is time to query it now that TACACS+ and the Cisco ISE network device have both been configured successfully by you. When searching for the information you need through command sets, you can utilize wildcards and regular expressions.

Another option is to loop over the list of commands contained in a command set to locate the commands that are a match. Last but not least, take note that you are free to utilize the regular expressions that come standard with Unix in your parameters.

To access the reports, navigate to the Work Centers > Device Administration > Reports > Reports > ISE Reports.

To proceed with setting up TACACS, you will first need to be familiar with a few prerequisites and conditions.

License for the Administration of Devices:

You will need a “Device Administration License” to enable the TACACS+ service on Cisco ISE, which is a prerequisite for conducting TACACS-based queries on Cisco ISE. The Device Administration license is valid for an infinite amount of time and specifically includes coverage for TACACS+ capabilities.

Activating the Device Administrator Service:

You will be required to enable the “device admin service” to make TACACS+ operations possible.

  1. To configure deployment settings on the Identity Services Engine platform, navigate to “Administration,” then “System,” and finally “Deployment”.
  2. In the General Settings menu, select ISE.
  3. Ensure that the option labeled “Enable Device Admin Service” is checked.
  4. Make sure that you have this option turned on in every PSN.

Create network device groups and add network devices

While configuring the network device groups You can generate authentication and authorization policies based on the attributes of individual devices using Cisco ISE. You will have the ability, through the use of network device groups, to organize devices according to factors such as kind or location and then create policies based on those attributes. If you forget to add a network device to a group, that device will automatically be added to the group called “All Locations and All Device Types”.

To add a network device, you are required to:

ISE relies on you to provide its IP address to locate the device’s definition. If it is unable to locate the device definition based on the IP address, you will be given the option to select a device profile. This profile will include the model’s name and the software version.

Give the network device group the assignment. Make sure to assign the network device to the appropriate group for network devices. Make Changes to the TACACS Authentication Setting To set up TACACS authentication between ISE and the network device, you will need to enter the shared secret for the network device.

Conclusion

All of the network devices that will be protected by Cisco ISE have their configurations set up such that they will query ISE for authentication and authorization before performing any operations on devices that are part of the network.

In conclusion, TACACS+ is a convenient tool that enables you to query your Cisco ISE and get useful information from it. We have high hopes that the techniques outlined above will assist you in efficiently querying Cisco ISE to locate the information you require.

Query Cisco ISE Using TACACS FAQs

How can I query Cisco ISE using TACACS?

You can query Cisco ISE using TACACS by configuring a TACACS server on the network device, such as a Cisco switch or router, and then configuring Cisco ISE as the TACACS server.

How do I configure TACACS on a Cisco switch or router?

To configure TACACS on a Cisco switch or router, you can follow these steps:

  • Configure the IP address and hostname of the TACACS server using the "tacacs-server host" and "tacacs-server key" commands.
  • Enable TACACS authentication for the console, vty lines, and other access methods using the "aaa authentication login" command.
  • Enable TACACS authorization for specific commands and actions using the "aaa authorization" command.
  • Enable TACACS accounting using the "aaa accounting" command.

How do I configure Cisco ISE as the TACACS server?

To configure Cisco ISE as the TACACS server, you can follow these steps:

  • Open the Cisco ISE web interface and navigate to "Administration" > "System" > "Settings" > "Protocol Settings" > "TACACS+ Settings".
  • Configure the TACACS+ server settings, including the shared secret and the IP addresses or hostnames of the network devices.
  • Configure the TACACS+ profiles, including the access policies and permissions for different types of users and devices.

How do I test the TACACS configuration?

To test the TACACS configuration, you can try to authenticate to the network device using a username and password that is configured in Cisco ISE. You can also check the TACACS logs in Cisco ISE to verify that the authentication, authorization, and accounting requests are being processed correctly.

What are some best practices for configuring TACACS on a network device?

Some best practices for configuring TACACS on a network device include using strong passwords and shared secrets, limiting TACACS access to specific IP addresses or hostnames, configuring separate TACACS profiles for different types of users and devices, and regularly monitoring the TACACS logs for suspicious activity.

What are some best practices for configuring TACACS on Cisco ISE?

Some best practices for configuring TACACS on Cisco ISE include using separate TACACS profiles for different types of users and devices, configuring granular access policies and permissions, enabling logging and auditing of TACACS activity, and regularly reviewing and updating TACACS configurations based on changes to the network environment.