×

How to Query Cisco ISE Using TACACS

Last Updated: June 14th, 2024 by in Guides

How to Query Cisco ISE Using TACACS

The Cisco Identity Service Engine is a robust platform that can be used to enforce network access control policy. It supports the TACACS+ protocol, making it possible to carry out detailed controls and audits on network configurations and devices. Users are presented with the option of configuring their network devices, which can help them submit authentication and authorization requests to the Identity Service Engine server.

Thanks to the complexity of modern networks, security has become one of the most important concerns for most organizations across the globe.

For this reason, combining resources, policies, and platforms is necessary to achieve security. Cisco ISE is an example of a top security policy, and this provides protected access to multiple network resources.

In this guide, there will be a discussion on CISCO ISE and how to Query Cisco ISE by using TACACS. 

What is Cisco ISE?

Cisco ISE is a security platform that ensures businesses can streamline their services while allowing control access to resources. 

With Cisco ISE, companies can also increase the security of their infrastructure and gather contextual information from users and devices. The platform also helps in ensuring compliance with prevalent security standards.

Furthermore, Cisco ISE assists with identifying, profiling, and monitoring endpoint devices linked to the network. It also enforces Authentication, Authorization, and Accounting (AAA) into a single platform.

Cisco ISE can operate in standalone and distributed configurations. What this means is that various kinds of businesses may adopt it. 

What is TACACS?

Terminal Access Controller Access Control System (TACACS) is a security protocol that offers centralized validation of users trying to gain access to a Network Attached Storage (NAS). TACACS was designed by Cisco and is built on top of TCP. As a result, it can communicate in an encrypted format using TCP port 49 to send and receive packets.

It aims to promote communication between a device and the ACS server. It can also provide granular control over each transmission. Anytime it is required, it can divide the authentication, authorization, and accounting processes.

Why TACACS+ Can Be Adopted With Cisco ISE

ISE supports the TACACS+ protocol, which supports improved management and auditing of the configurations of network devices. By configuring the network device to control Cisco ISE queries for permission and authentication, the actions of a network administrator can be controlled.

When TACACS+ is integrated with existing network devices, ISE administrators can add network devices by using TACACS+ information. This information includes the IP address and shared secret. Besides this, information is transmitted to the network device to Cisco ISE about every session, alongside other command activities, for auditing and accounting.

One of the vital benefits of combining Cisco ISE and TACACS+ is the significant control it offers. Also, ISE can help draft regulations and share them with relevant users.

It is also possible for users to add device admins as internal users while configuring their enable passwords at the same time. Besides this, ISE administrators can also audit what users have used and these commands by accessing live logs and reports.

How to Perform Queries Using TACACS on Cisco ISE?

This section will discuss, in detail, how to query Cisco ISE through the use of TACACS.

The first thing you need to do is check to see if you already have admin status. If that is different from the case, make sure that you obtain it before you continue with the rest of the stages.

Activate the Device Administration Work Center

The Device Administration Work Center is the centralized point of control. It is only accessible if the TACACS+ software package has already been installed. When this program is opened, numerous menu options will appear, but Device Administration is the most relevant in this case.

TACACS+ Configuration 

The work center can be used to configure different components of the TACACS+ system.

Command Sets

The configuration of two distinct command sets must be done. These are regarded as PermitAllCommands and PermitShowCommands. The next step is to set up the PermitAllCommands command set. It will ensure that it works properly.

Find your way to the TACACS Command Sets page by following the Work Center > Device Administration > Policy Results > page. Then, create a new command set by pressing the Add button.

It is important to ensure that the box next to “Permit any command that is not specified below” is properly checked. You must assign a name to the command set in this specific case. That name is called PermitAllCommands.

After this, the next step involves the configuration of the PermitShowCommands.

Then, navigate to the TACACS Command Sets page by following the Work Center > Device Administration > Policy Results > page. Then, you can create a new command set by pressing the Add button.

Just as done previously, assign a name to this command set. This will be regarded as PermitShowCommands. Ensure you do not press the option “Permit any command not mentioned below.” Rather, ensure that it is left unchecked.

Then, click on the “+add” button.

After this, allow the Show and Exit instructions to take effect. If there are no arguments listed, this indicates that all the arguments will be used. Generally, this field should be left empty unless access to certain parameters must be restricted.

Click the “Submit” button to finish. Once the previous stage of configuring the command sets has been completed, then configure the profile next.

Profile

Doing this requires navigation to the TACACS Profiles section of Work Centers once you have clicked on Device Administration > Policy Results > TACACS Profiles. After pressing the Add link, a new window will pop up, which creates an option to assign a name to your TACACS+ profile.

Then, click on the box labeled “Default Privilege” and input the value 15. To finish, simply click on the submit button. 

The device administrator enjoys certain privileges in the two settings described above. Furthermore, it must be noted that the probability of malicious configurations being used will be significantly reduced, thanks to the fact that it works in tandem with them.

Authentication 

There is also an option of configuring a permission and authentication policy. By default, the authentication policy points to every user in the Active Directory. Certain important steps can configure the authentication settings for a network device.

The configuration of the TACACS authentication settings for network devices can be done by going to Work Centers > Device Administration > Network Resources > Network Devices > Add > TACACS Authentication Settings.

To configure TACACS Authentication Settings for all other devices, go to Work Centers > Device Administration > Network Resources > Default Devices > TACACS Authentication Settings.

Protocols

The next step is to configure the protocols that are available in the device administration protocols.

This is done by navigating to Work Centers > Device Administration > Policy Elements > Results > Allowed Protocols. Make sure that the device is set up for both FIPS and non-FIPS modes. By activating the FIPS mode, you will be the only one that can make use of the Default Device Admin settings.

Configure Cisco ISE

After configuring TACACS+, visit to configure Cisco ISE. Certain steps can help in configuring this setting.

  • Create a local user on Cisco ISE who can control the system completely.
  • Next, create a new model, call it TACACS, and include this in the ISE GROUP, please.
  • The test command can be used to determine if the server is available or not. To start, receiving a notification indicating that the user was successfully authorized is important. 
  • Next, make sure that the necessary logins are configured.
  • If any error occurs, visit Operations > TACACS Livelog and right-click on the commands that were not executed correctly. There is a lot of information on the request type doing so.

Send a Query to Cisco ISE

The next step is to send a query that TACACS+ and the Cisco ISE network device have both been configured successfully by you. Wildcards and expressions can be used to search for information that is needed through command sets.

Besides this, you can also loop over the list of commands in a command set to identify and work on commands that are a match. It must also be stressed that you are free to use the regular expressions that come standard with Unix in your parameters.

Accessing the reports requires that you navigate to the Work Centers > Device Administration > Reports > Reports > ISE Reports.

There are specific conditions and requirements that you should understand before you set up TACACS.

License for the Administration of Devices

There is a need for a Device Administration License, which can enable the TACACS+ service on Cisco ISE. The Device Administration license is only valid for a certain amount of time and specifically includes coverage for TACACS+ capabilities. This represents a prerequisite for carrying out TACACS-based queries on Cisco ISE.

Activating the Device Administrator Service

Then, the next thing is to enable the “device admin service,” which can make TACACS+ operations possible.

If you wish to configure deployment settings on the ISE platform, find your way to “Administration,” then “System,” and finally, “Deployment.” Visit the general settings menu, and click on ISE. Make sure that you check the “Enable Device Admin Service” option. Ensure that this option is turned on in every PSN.

Create Network Device Groups and Add Network Devices

It is also possible for users to create authorization and authentication policies, depending on the devices’ features, by using Cisco ISE. This grants you the ability to organize devices based on various factors like location or kind by using network device groups. Then, you can create policies depending on these attributes. If you do not add a network device to a group, the device will be added automatically to the group known as “All Locations and All Device Types”.

Conclusion

Cisco ISE is an access control policy platform that ensures that businesses implement compliance while increasing the security of the infrastructure. It also helps in streamlining their service operations. Yet, by combining resources, you can achieve a higher level of security.