Page 1 of 12

Lab 17: TACACS+ Device Administration

Lab Overview
Device administration in ISE involves controlling network administrator access to network devices. Network
administrators often have different levels of access to different network equipment, depending on their role.
Most organizations prefer to centralize the control and maintenance of this function. The TACACS+ function of
Cisco ISE enables this central control. Through TACACS Live Logs and reports, ISE provides centralized monitoring,
reporting and troubleshooting of an organization′s network administration. In this lab, you will configure ISE for
basic Device Administration of IOS devices.

You will begin by configuring the policy elements required for network device administration. These policy
elements will then be used in the basic authentication and authorization policies, which you will create. Of course,
each Network Access Device (NAD) must be configured to support TACACS+, and so you must configure the
required AAA commands to fulfill this need. You will then log in with different users to validate both your
authentication policies and your authorization policies. You will have granular control of not only who can access
your network devices, but also what they can do.

Estimated Completion Time

30 minutes

Lab Procedures
• Configure TACACS+ Privilege Levels

• Configure TACACS+ Command Authorization

Perform Only If You Have Done a Reset

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5 day course), you will need to prepare or verify the
environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Configure TACACS+ Privilege Levels

1. Enable Device Administration.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 2 of 12

1.1. Access the Admin-PC, open Firefox, and use the ISE bookmark to log on as admin/admin$Pwd.

1.2. Navigate to Administration > System> Deployment. Edit the ISE node by clicking ise. Under General
Settings, enable the Device Admin Service.

1.3. Save the settings.

2. Verify the Wired Device Type Group.

2.1. Navigate to Administration > Network Resources > Network Device Groups. Expand Groups, verify that
the Wired Device Group is an available Device Type and that HQ is an available Device Location as shown
below:

Note: ISE provides powerful device grouping similar to ACS 5.x, in the form of multiple device group hierarchies.
Each hierarchy can represent a separate and independent classification of network devices. For example, two
very common ways to classify devices are by device type and location. By default, ISE provides device type and
location hierarchies and additional Network Device Groups can be added.

3. Configure a network access device.

3.1. Navigate to Work Centers > Device Administration > Network Resources. Choose Network Devices and
validate that the device L3-Switch has been created. If not, create it, based on the screen shot below.
Ensure that the device Type is set to Wired, which you just created, and the Location is set to HQ.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 3 of 12

3.2. For this L3-Switch, scroll down and configure TACACS settings, as follows.

Attribute Value

Shared Secret sharedsecret

3.3. Scroll down and click Save.

4. Add policy elements.

4.1. Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles. You will
add two different TACACS profiles with different privilege levels.

4.2. Click Add to create a new profile as follows.

Attribute Value

Name Privilege_Level_1

Common Task Type Shell

Default Privilege 1

Maximum Privilege 1

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 4 of 12

4.3. Click Submit.

4.4. Click Add to create a new profile as follows.

Attribute Value

Name Privilege_Level_15

Common Task Type Shell

Default Privilege 1

Maximum Privilege 15

4.5. Click Submit.

5. Configure and Identity Source Sequence for TACACS.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 5 of 12

5.1. Navigate to Administration > Identity Management > Identity Source Sequences.

5.2. Click Add and configure as follows.

Attribute Value

Name TACACS_Sequence

Description GKLABS then Internal Users

Selected GKLABS
Internal Users

5.3. Click Submit.

6. Configure TACACS Policy Set.

6.1. Navigate to Work Centers > Device Administration > Device Admin Policy Sets. You are about to create a
new policy set to handle Wired Network Devices at HQ.

6.2. In the left pane, click the Default policy set, then click the Plus icon and choose Create Above as shown
below.

6.3. Near the top, double-click Enter Policy Name. Name the Policy Wired HQ Devices.

6.4. In the Conditions box, click the + (plus) icon and choose Create new Condition (Advance Option).

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 6 of 12

6.5. Choose DEVICE:Device Type EQUALS Device Type#All Device Types#Wired AND DEVICE:Location EQUALS
Location#All Locations#HQ check your work against the example below.

6.6. Submit when finished.

6.7. Modify the Authentication Policy Default Rule to use the TACACS identity source sequence as show below.

6.8. Save your changes.

6.9. Next, configure the Authorization Policy. To start, click the black down arrow at the end of the
Tacacs_Default policy and choose Insert New Rule Above. Configure this new rule as follows.

Attribute Value

Name IT Authorization

Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/IT

Command Sets Leave blank

Shell Profile Privilege_Level_15

6.10. Click Done and check your work against the example below.

6.11. Now add a policy for employees. Start by clicking the black down arrow at the end of the new IT
Authorization rule and choose Insert New Rule Below. Configure this new rule as follows.

Attribute Value

Name Employee Authorization

Conditions GKLABS:ExternalGroups EQUALS gklabs.com/DomainGroups/Employees

Command Sets Leave blank

Shell Profile Privilege_Level_1

6.12. Click Done and check your work against the example below.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 7 of 12

6.13. Scroll down and click Save.

7. Configure the L3-Switch for TACACS+ authentication.

7.1. Using the Topology Diagram, access the console of the L3-Switch. The admin/admin$Pwd is configured as
a local account on the switch and the enable secret is san-fran.

Note: It is important to use the actual physical console of the L3-Switch as you are about to modify how the tty
lines are authenticated while leaving the console port alone. The user account admin (in active directory) is not a
member of the IT group. As such, admin will not have much access to IOS commands via tty. This is consistent
with many production networks where device admins are not necessarily the same as domain admins.

7.2. Enter the commands shown below.

Tip: There is a file on the Admin-PC at Desktop\ISE\L3-Switch\TACACS AuthC.txt. You can copy and paste the
commands from there if you prefer.

Do NOT save the changes to startup-config as you will reload the switch at the end of the lab in preparation for
the next lab.

conf t

tacacs server ISETAC

address ipv4 10.10.2.50
key sharedsecret
exit

aaa group server tacacs+ myTplusServers

server name ISETAC
exit
aaa authentication login MyTplus group myTplusServers local
aaa authorization exec MyTplus group myTplusServers local
aaa authentication enable default group myTplusServers enable
aaa accounting exec default start-stop group myTplusServers

line vty 0 4
login authentication MyTplus
authorization exec MyTplus
exit

7.3. To test various users, return to your Admin-PC and use SecureCRT to open a CLI session to L3-Switch.

Note: In SecureCRT, use the session for 10.10.2.1 to allow testing of different accounts as that session has not
been preconfigured with any credentials. DO NOT save credentials for this session.

7.4. Log in using the credentials employee1/gklabs. This should succeed.

7.5. Type enable to get higher privilege. When prompted for a password, enter gklabs. This authentication fails,
according to the policy you created.

L3-Switch>enable
Password: gklabs
% Error in authentication.

7.6. Open another CLI session and log in using credentials it1/gklabs. This should succeed.

7.7. Type enable to get higher privilege. When prompted for a password, enter gklabs. This authentication
succeeds, according to the policy you created.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 8 of 12

L3-Switch>enable
Password: gklabs
L3-Switch#
L3-Switch#show priv
Current privilege level is 15
L3-Switch

7.8. Enter the show privilege command to verify your privilege level is 15.

7.9. In ISE, navigate to Operations > TACACS > Live Logs to see the authentication and authorization
information. You should see live logs similar to the example shown below.

7.10. For the failed employee entry, click the Details icon, as shown above. You can analyze the details of each
session. Some of the more pertinent information includes the Authentication details, as shown below.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 9 of 12

Task 2: Configure TACACS+ Command Authorization

In this exercise, you will configure TACACS+ command authorization and bind these commands to a device
administration policy. Privilege-level authorization associates commands with privilege levels, per network device.
ISE can then apply the default and maximum privilege level to a user upon logging in. Privilege level authorization
requires each device be configured with privilege levels and command sets (overriding the default privilege levels).
TACACS+ command authorization centralizes the administration of commands to be allowed or denied. When
TACACS+ command authorization is enabled, each command that is entered on a device is authorized against the
TACACS+ service.

You will begin this task by configuring TACACS Command sets. Then you will modify the authorization policy to use
these command sets. You will modify the switch configuration to support command authorization, and then test
the various users to check their access levels.

8. Configure Command Sets.

8.1. Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets.
You are about to create two command sets: one with full access and one with limited access to a specific
set of commands.

8.2. Click Add to create a new command set and configure as follows.

Attribute Value

Name Permit All Commands

Description Authorize All Commands

Commands Permit any command that is not listed below

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 10 of 12

8.3. Click Submit.

8.4. Click Add to create a new command set and configure as follows.

Attribute Value

Name Limited Commands

Description Authorize ping and some show Commands

Commands permit ping

permit show run*

permit show privilege

deny show inter*

Note: Click the Add button to add each command. After entering each command, make sure to click the
checkmark at the end of the line to save the command. See example below.

8.5. Validate your work against the example shown above, then click Submit.

9. Modify Authorization Policy.

9.1. Navigate to Device Admin Policy Sets> Wired HQ Devices.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 11 of 12

9.2. Modify the rule named Employee Authorization to include the command set Limited Commands, and
change the shell Profile to Privilege_Level_15.

9.3. Click Done.

Note: Although the employees now have access to privilege level 15, they are limited to the commands specified
in the assigned command set.

9.4. Now modify the rule named IT Authorization to include the command set Permit All Commands, and leave
the Shell Profile at Privilege_Level_15.

9.5. Check your work against the example shown below, then scroll down and click Save.

9.6. To configure switch, access the L3-Switch switch console from the Network Topology Diagram.

9.7. Enter the following commands to enforce command authorization via TACACS+.

Tip: There is a file on the Admin-PC at Desktop\ISE\L3-Switch\TACACS AuthZ.txt.

You can copy and paste the commands from there if you prefer.

Do NOT save the changes to startup-config as you will reload the switch at the end of the lab in preparation for
the next lab.

conf t

aaa authorization commands 1 MyTplus group myTplusServers if-authent

aaa authorization commands 15 MyTplus group myTplusServers if-authent

line vty 0 4
authorization commands 1 MyTplus
authorization commands 15 MyTplus
end

9.8. Back on the Admin-PC, close all SecureCRT sessions and then open another SecureCRT to L3-Switch.

9.9. Log in using the credentials employee1/gklabs. This should succeed.

9.10. Type enable. When prompted, enter the password gklabs.

Note: This succeeds now because you modified the authorization policy to apply the Privilege_level_15 shell
profile.

9.11. Execute the following commands and observe which commands pass and fail.

◾ show privilege

◾ show running-config

◾ configure terminal

◾ ping 10.10.1.25

◾ show interface

9.12. Check the Operations > TACACS Livelogs to see the information for command passes and failures. Click a
Details icon if you would like to see more information about any failures.

9.13.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017
 Page 12 of 12

Open another SecureCRT session to the L3-Switch and log in using the credentials it1/gklabs. This should
succeed.

9.14. Type enable to gain a higher privilege level. Use gklabs as the enable password. This should succeed, as it
did in the previous lab.

9.15. Execute the same commands as you did for the employee account. You should see that it1 can execute all
the commands.

9.16. Navigate to Operations > TACACS Livelogs to see the authentication/authorization/command

authorization information. You should see Live Logs for the two different users that match the following
outputs:

10. Disable Device Administration.

10.1. Navigate to Administration > System> Deployment. Edit the ISE node by clicking ise. Under General
Settings, disable (clear) the Device Admin Service.

10.2. Save the settings.

10.3. Access the console of the L3-Switch and reload without saving.

Note: This will put the L3-Switch back to its original configuration. If you have saved the switch configuration
during this lab, you will need to reset to the next lab or apply the commands in the file on the Admin-PC at
Desktop\ISE\L3-Switch\Remove TACACS.txt

Lab Complete

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L17.htm 20/09/2017