Cisco ISE Query using TACACS

Cisco Identity Services Engine (ISE) is the following generation identity and access control policy platform that helps enterprises execute compliance, increase infrastructure security and streamline their service operations

The Cisco architecture is unique, and it enables companies and enterprises to collect real-time information from networks, users, and devices.

Cisco Identity Services Engine (ISE)

The administrator can then use this information to make proactive governance decisions by connecting identity with various network elements such as wireless LAN Controllers, VPN gateways, data center switches, access switches, etc. It is an essential component of Cisco Security Group Solution.

What is TACACS?

Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users attempting to gain access to a router or a Network Attached Storage (NAS). TACACS+, a newer version, provides separate authentication, authorization, and accounting services.

TACACS Device Administration

Cisco ISE supports device Administration through Terminal Access Controller Access Control System (TACACS) to control and audit the configuration of network devices. All the devices connected to the network are configured to query Cisco ISE to authenticate and authorize actions of device administrator and send accounting messages for Cisco ISE to log the actions.

It facilitates control of who can access which network device and alter the associated network settings. A Cisco ISE administrator can create policy sets that allow TACACS results, such as command sets and shell profiles, to be selected in authorization policy rules in a device administration access service.

A Cisco ISE requires a Device Administration License to use TACACS. There are two types of administrators:

  • Device Administrator
  • Cisco ISE Administrator

The Device Administrator is the user who logs into the network devices such as wireless access points, gateways, routers, switches, etc., to configure the administered devices and perform their maintenance.

The Cisco ISE Administrator is the user who logs into the ISE for configuration and coordination of the devices that the device administrator logs into.

Cisco ISE Query

The Cisco ISE administrator uses the device administration features to control and audit the configuration of the network devices. A device can be configured to query the Cisco ISE server using TACACS. Cisco ISE monitoring node provides reports related to device administration. Following tasks can be performed:

  • Configuration of devices connected to the network using TACACS
  • Add device administrators as internal users and set their passwords
  • Create policy sets that allow TACACS results to be selected in authorization policy rules in a device administration access service
  • Configuration of the TACACS server in Cisco ISE so that the device administrators can access the devices based on the policy sets

The device administrator sets up the device for communication with the Cisco ISE server. When the device administrator is logged on to the device, the device queries the ISE server, which queries an internal or external identity store to validate the device administrator details.

Once validation is done, the device informs the Cisco ISE server of the outcome of each session or command authorization operation for accounting and auditing purposes.

Enabling TACACS Operations

Check Enable Device Admin Service check box in the Administration > System > Deployment > General Settings page to enable TACACS operations. It should be ensured that the option is enabled in each PSN in a deployment.

Note: Cisco ISE requires a Device Administration License to use the TACACS service instead of an existing Base or Mobility License. The Device Administration license is perpetual.

Suppose the user has upgraded from an earlier release to Cisco ISE Release 2.0 and later and would like to enable the TACACS service. In that case, the Device Administration license should be ordered as a separate add-on. One Device Administration License is needed for the entire ISE deployment.

Accessing Command-Line Interface to Change Enable Password

Privilege mode has been assigned to several commands. As a result, they can only be used once the device administrator has entered this mode. When the device administrator enters privileged mode, the device sends a particular enable authentication type.

Cisco ISE offers a different password to validate this specific promote authentication type. When the device administrator is authorized with internal identity stores, a different enable password is utilized. The same password is used for external identity store authentication for regular login.

The procedure is as follows:

  • Log in to the switch
  • Press Enter to display the Switch prompt
  • The following commands should be used to configure passwords:

Switch> enable

Password: (Press Enter to leave the password blank.)

Enter Old Password: (Enter the old password.)

Enter New Password: (Enter the new password.)

Enter New Password Confirmation: (Confirm the new password.)

Note:  If the Login password and Enable password to have a password lifespan configured, the user account will be disabled if the passwords are not updated within the specified period.

You can’t update the Enable password from the CLI if Cisco ISE is set as a TACACS server and the Enable Bypass option is enabled on the network device (via telnet). To update the Enable password for internal users, go to Administration > Identity Management > Identities > Users.

Device Administration Work Center

The Work Center menu comprises all of the device management pages, allowing Cisco ISE administrators to start from a single location. Users, User Identity Groups, Network Devices, Default Network Devices, Network Device Groups, Authentication  Authorization Conditions, and other non-device administration pages, such as Users, User Identity Groups, Network Devices, Default Network Devices, Network Device Groups, and Authentication and Authorization Conditions, can still be accessed through their original menu options.

Only the correct TACACS license(s) must be obtained and installed before the Work Centers option can be used.

Overview, Identities, User Identity Groups, Ext ID Stores, Network Resources, Network Device Groups, Policy Elements, Device Admin Policy Sets, Reports, and Settings are all available from the Device Administration Menu.

Device Administration Deployment Settings

The Device Administration Deployment page (Work Centers > Device Administration > Overview > Deployment) allows Cisco ISE managers to view the device administration system in a centralized manner without having to go via each deployment node.

The PSNs in deployment are listed on the Device Administration Deployment page. This does the chore of enabling the device admin service in each PSN in your deployment to be much more accessible. By selecting one of the options below, one can help the device admin service for a large number of PSNs at once:

NoneBy default, the device administration service is disabled for all nodes.
All policy Service NodesEnables the device administration service in all PSNs. With this option, new PSNs are automatically enabled for device admin when they are added.
Specific NodesDisplays the ISE Nodes section that lists all the PSNs in your deployment. In addition, you can select the required nodes that necessitate the device admin service to be enabled.

The TACACS Ports field allows a maximum of four comma-separated TCP ports, and port values range from 1 to 65535. Cisco ISE nodes and their interfaces listen for TACACS requests on the specified ports, and you must ensure that other services do not use the specified ports. The default TACACS+ port value is 49.

When one clicks  Save, the changes are synchronized with the nodes specified in the Administration > System > Deployment Listing window.

Device Admin Policy Sets

An authentication rule table and an authorization rule table make up a Regular policy set. The authentication rule table comprises a collection of “outer” rules that determine which protocols are allowed.

Each “outer” rule includes more “inner” rules that determine which identity store to utilize. The authorization rule table is a collection of rules for selecting the exact authorization results needed to implement the authorization business model.

Each rule has one or more conditions that must be met for the rule to be activated, as well as a set of command sets and a shell profile to govern the authorization process. In addition, each policy set features an authorization exceptions rule table that can be used to override the rules in particular scenarios; this table is frequently utilized for temporary situations.

TACACS Authentication Settings and Shared Secret

The following table describes the fields on the Network Devices window, which you can use to configure TACACS authentication settings for a network device. The navigation path is:

  • (For Network Devices) Work Centers > Device Administration > Network Resources > Network Devices > Add > TACACS Authentication Settings.
  • (For Default Devices) Work Centers > Device Administration > Network Resources > Default Devices > TACACS Authentication Settings.
Field NameUsage Guidelines
Shared SecretA text string is assigned to a network device when the TACACS+ protocol is enabled. Before the network device authenticates a username and password, a user must enter the text. The connection is rejected until the user supplies the shared secret. This is not a mandatory field.
Retired Shared Secret is ActiveDisplayed when the retirement period is active.
RetireRetires an existing shared secret instead of ending it. When you click, Retire, a message box is displayed. You can either click Yes or No.
Remaining Retired Period(Available only if you select Yes in the above message box) Displays the default value specified in the following navigation path: Work Centers > Device Administration > Settings > Connection Settings > Default Shared Secret Retirement Period. You can change the default values.

This allows a new shared secret to be entered, and the old shared secret will remain active for the specified number of days.
End(Available only if you select Yes in the above message box) It ends the retirement period and terminates the old shared secret.
Enable Single Connect ModeCheck to use a single TCP connection for all TACACS+ communication with the network device. Choose one of the following:

- Legacy Cisco Devices
- TACACS Draft Compliance Single Connect Support. If you disable Single Connect Mode, ISE uses a new TCP connection for every TACACS+ request.

In summary, one can:

  • Retire the old shared secret by specifying the retirement period as several days (Range is 1 to 99) and at the same time set a new shared secret.
  • Use the old and new shared secrets during the retirement period.
  • Extend the retirement period before it expires.
  • Use the old shared secret only until the end of the retirement period.
  • Terminate the retirement period before it expires (click End and then Submit).

Authorization Policy Results

Cisco ISE administrators can exercise control over a device administrator’s rights and commands by using TACACS command sets and TACACS profiles (policy outcomes). The policy operates in tandem with network devices, preventing unintentional or malicious configuration modifications.

In addition, you can utilize the device administration audit reports to monitor the device administrator who ran a specific command if such changes occur.

Allowed Protocols for TACACS Administration

Cisco ISE provides various permitted authentication protocol services for generating policy outcomes. However, on FIPS-enabled Cisco ISE equipment for RADIUS, authentication protocol services such as PAP/ASCII, CHAP, and MS-CHAPv1, which apply to the TACACS+ protocol, are disabled.

As a result, when utilizing a FIPS-enabled (Administration > System Settings > FIPS Mode) Cisco ISE appliance, specific protocols cannot be configured in the Policy > Policy Elements > Results > Allowed Protocols window to administrate devices.

As a result, you must travel to the Work Centers > Device Administration > Policy Elements > Results > Allowed Protocols pane to configure PAP/ASCII, CHAP, and MS-CHAPv1 protocols in your device administration policy results for both FIPS and non-FIPS modes. When FIPS mode is enabled, only the Default Device Admin authorized protocols setting can be utilized. In RADIUS, this option is not available.

TACACS Command Sets

Command sets enforce the specified list of commands that a device administrator can perform. Cisco ISE is queried when a device administrator issues operational commands on a network device to establish whether the administrator is permitted to do so. Command authorization is another term for this.