====== Configure TACACS on ISE ====== https://communities.cisco.com/docs/DOC-68194 Administration -> Identity Management -> Groups > User Identity Groups -> Add Administration -> Identity Management -> Identities > Users -> Add ! Administration -> Network Resources -> Network Device Groups - Create Device Types and Locations Administration -> Network Resources -> Network Devices > Network Devices -> Add ! Work Centres -> Device Administration -> Policy Elements > Results -> TACACS Profiles -> Add Work Centres -> Device Administration -> Policy Elements > Results -> TACACS Command Sets -> Add aaa new-model ! tacacs server ISEv24-01 address ipv4 192.168.16.221 key test ! aaa group server tacacs+ ISE_TACACS server name ISEv24-01 ip vrf forwarding MGMT ip tacacs source-interface GigabitEthernet10 ! aaa authentication login VTY group ISE_TACACS local aaa authentication login CON local aaa authorization exec VTY group ISE_TACACS local if-authenticated aaa authorization exec CON local aaa authorization commands 1 VTY group ISE_TACACS local if-authenticated aaa authorization commands 15 VTY group ISE_TACACS local if-authenticated aaa authorization config-commands aaa accounting exec VTY start-stop group ISE_TACACS aaa accounting commands 1 VTY start-stop group ISE_TACACS aaa accounting commands 15 VTY start-stop group ISE_TACACS !aaa authentication enable default group ISE_TACACS enable ! line vty 0 4 !exec-timeout 0 0 login authentication VTY ! aaa-server MGMT protocol tacacs+ reactivation-mode depletion deadtime 1 aaa-server MGMT (management) host 172.17.7.90 timeout 2 key ***** aaa-server MGMT (management) host 172.17.7.91 timeout 2 key ***** ! aaa authentication http console MGMT LOCAL aaa authentication serial console MGMT LOCAL aaa authentication ssh console MGMT LOCAL aaa authentication enable console MGMT LOCAL aaa authorization exec authentication-server auto-enable aaa authentication login-history !!!!! CSR1000v-01(config)#do sh run aaa ! aaa authentication login VTY group ISE_TACACS local enable aaa authentication enable default group ISE_TACACS enable aaa authorization exec VTY group ISE_TACACS local if-authenticated aaa authorization commands 15 VTY group ISE_TACACS if-authenticated aaa authorization config-commands aaa authorization console username cisco secret 5 $1$m8R.$hzvX1rlSjWdEttXGYnfYN. ! ! ! ! ! ! tacacs server ISEv24-01 address ipv4 192.168.16.221 key MySecret ! ! aaa group server tacacs+ ISE_TACACS server name ISEv24-01 ip vrf forwarding MGMT ip tacacs source-interface GigabitEthernet10 ! ! ! aaa new-model aaa session-id common !!!!! -------------------------------------------------------------- aaa new-model ! tacacs server ISEv24-01 address ipv4 192.168.16.221 key test ! aaa group server tacacs+ ISE_TACACS server name ISEv24-01 ip vrf forwarding MGMT ip tacacs source-interface GigabitEthernet10 ! aaa authentication login VTY group ISE_TACACS local enable aaa authentication enable default group ISE_TACACS enable aaa authorization exec VTY group ISE_TACACS aaa authorization commands 1 VTY group ISE_TACACS aaa authorization commands 15 VTY group ISE_TACACS ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 ! line vty 0 exec-timeout 0 0 authorization commands 1 VTY authorization commands 15 VTY authorization exec VTY logging synchronous login authentication VTY --------------------------------------------------- aaa-server MGMT protocol tacacs+ aaa-server MGMT (MGMT) host 192.168.16.221 timeout 2 key test ! aaa authentication ssh console MGMT LOCAL aaa authentication enable console MGMT LOCAL aaa authorization command MGMT LOCAL aaa authorization exec authentication-server auto-enable aaa authentication login-history ------------------------- working on 3560-8POE office enable secret 5 $1$g.u4$kdtQ6TN7pT7qtdbQ68pn60 ! username secadm privilege 15 secret 5 $1$pB4D$PhRPfnYdloy6zAGkpJae2. ! aaa new-model ! aaa group server tacacs+ ISE_TACACS server 192.168.13.21 ! aaa authentication login default local aaa authentication login VTY group ISE_TACACS local enable aaa authentication login CON local aaa authentication login AUTHENT_LOCAL local aaa authentication enable default group ISE_TACACS enable aaa authorization exec default local aaa authorization exec VTY group ISE_TACACS aaa authorization exec AUTHOR_LOCAL local aaa authorization commands 0 VTY group ISE_TACACS aaa authorization commands 1 VTY group ISE_TACACS aaa authorization commands 15 VTY group ISE_TACACS ! ! tacacs-server host 192.168.13.21 key MySecret tacacs-server timeout 3 no tacacs-server directed-request line con 0 exec-timeout 0 0 authorization exec CON login authentication CON line vty 0 exec-timeout 0 0 authorization commands 1 VTY authorization commands 15 VTY authorization exec VTY logging synchronous login authentication VTY transport input ssh line vty 1 4 exec-timeout 70 0 authorization exec AUTHOR_LOCAL login authentication AUTHENT_LOCAL transport input ssh line vty 5 15 exec-timeout 70 0 login authentication CON transport input ssh ! !