https://communities.cisco.com/docs/DOC-68194
Administration → Identity Management → Groups
User Identity Groups → Add
Administration → Identity Management → Identities
Users → Add
!
Administration → Network Resources → Network Device Groups - Create Device Types and Locations
Administration → Network Resources → Network Devices
Network Devices → Add
!
Work Centres → Device Administration → Policy Elements
Results → TACACS Profiles → Add
Work Centres → Device Administration → Policy Elements
Results → TACACS Command Sets → Add
aaa new-model
!
tacacs server ISEv24-01
address ipv4 192.168.16.221
key test
!
aaa group server tacacs+ ISE_TACACS
server name ISEv24-01
ip vrf forwarding MGMT
ip tacacs source-interface GigabitEthernet10
!
aaa authentication login VTY group ISE_TACACS local
aaa authentication login CON local
aaa authorization exec VTY group ISE_TACACS local if-authenticated
aaa authorization exec CON local
aaa authorization commands 1 VTY group ISE_TACACS local if-authenticated
aaa authorization commands 15 VTY group ISE_TACACS local if-authenticated
aaa authorization config-commands
aaa accounting exec VTY start-stop group ISE_TACACS
aaa accounting commands 1 VTY start-stop group ISE_TACACS
aaa accounting commands 15 VTY start-stop group ISE_TACACS
!aaa authentication enable default group ISE_TACACS enable
!
line vty 0 4
!exec-timeout 0 0
login authentication VTY
!
aaa-server MGMT protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server MGMT (management) host 172.17.7.90
timeout 2
key *****
aaa-server MGMT (management) host 172.17.7.91
timeout 2
key *****
!
aaa authentication http console MGMT LOCAL
aaa authentication serial console MGMT LOCAL
aaa authentication ssh console MGMT LOCAL
aaa authentication enable console MGMT LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
!!!!!
CSR1000v-01(config)#do sh run aaa
!
aaa authentication login VTY group ISE_TACACS local enable
aaa authentication enable default group ISE_TACACS enable
aaa authorization exec VTY group ISE_TACACS local if-authenticated
aaa authorization commands 15 VTY group ISE_TACACS if-authenticated
aaa authorization config-commands
aaa authorization console
username cisco secret 5 $1$m8R.$hzvX1rlSjWdEttXGYnfYN.
!
!
!
!
!
!
tacacs server ISEv24-01
address ipv4 192.168.16.221
key MySecret
!
!
aaa group server tacacs+ ISE_TACACS
server name ISEv24-01
ip vrf forwarding MGMT
ip tacacs source-interface GigabitEthernet10
!
!
!
aaa new-model
aaa session-id common
!!!!!
--------------------------------------------------------------
aaa new-model
!
tacacs server ISEv24-01
address ipv4 192.168.16.221
key test
!
aaa group server tacacs+ ISE_TACACS
server name ISEv24-01
ip vrf forwarding MGMT
ip tacacs source-interface GigabitEthernet10
!
aaa authentication login VTY group ISE_TACACS local enable
aaa authentication enable default group ISE_TACACS enable
aaa authorization exec VTY group ISE_TACACS
aaa authorization commands 1 VTY group ISE_TACACS
aaa authorization commands 15 VTY group ISE_TACACS
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
!
line vty 0
exec-timeout 0 0
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
---------------------------------------------------
aaa-server MGMT protocol tacacs+
aaa-server MGMT (MGMT) host 192.168.16.221
timeout 2
key test
!
aaa authentication ssh console MGMT LOCAL
aaa authentication enable console MGMT LOCAL
aaa authorization command MGMT LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
-------------------------
working on 3560-8POE office
enable secret 5 $1$g.u4$kdtQ6TN7pT7qtdbQ68pn60
!
username secadm privilege 15 secret 5 $1$pB4D$PhRPfnYdloy6zAGkpJae2.
!
aaa new-model
!
aaa group server tacacs+ ISE_TACACS
server 192.168.13.21
!
aaa authentication login default local
aaa authentication login VTY group ISE_TACACS local enable
aaa authentication login CON local
aaa authentication login AUTHENT_LOCAL local
aaa authentication enable default group ISE_TACACS enable
aaa authorization exec default local
aaa authorization exec VTY group ISE_TACACS
aaa authorization exec AUTHOR_LOCAL local
aaa authorization commands 0 VTY group ISE_TACACS
aaa authorization commands 1 VTY group ISE_TACACS
aaa authorization commands 15 VTY group ISE_TACACS
!
!
tacacs-server host 192.168.13.21 key MySecret
tacacs-server timeout 3
no tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec CON
login authentication CON
line vty 0
exec-timeout 0 0
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
transport input ssh
line vty 1 4
exec-timeout 70 0
authorization exec AUTHOR_LOCAL
login authentication AUTHENT_LOCAL
transport input ssh
line vty 5 15
exec-timeout 70 0
login authentication CON
transport input ssh
!
!