Configure Prime 3.1 TACACS authentication against ISE 2.x

Available Languages

Updated:October 8, 2017
Document ID:212201

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction


    This document describes how to configure Prime Infrastructure to authenticate via TACACS with ISE 2.x.

    Requirements

    Cisco recommends that you have a basic knowledge of these topics:

    • Identity Services Engine (ISE)
    • Prime Infrastructure

    Configure

    Cisco Prime Network Control System 3.1

    Cisco Identity Service Engine 2.0 or later.

    (Note: ISE only supports TACACS starting with version 2.0, however it is possible to configure Prime to use Radius. Prime includes the list of Radius attributes in addition to TACACS if you would prefer to use Radius, with an older version of ISE or a Third Party solution.)

    Prime Configuration

    Navigiate to the following screen: Administration / Users/ Users, Roles & AAA as seen below.

    Once there, select the TACACS+ Servers tab, then select the Add TACACS+ Server option in the upper right hand corner and select go.

    On the next screen the configuration of the TACACS server entry is available(this will have to be done for each individual TACACS server)

    212201-Configure-Prime-3-1-TACACS-authenticatio-00.png

    Here you will need to enter either IP address or DNS address of the server, as well as the Shared Secret Key. Also please note the Local Interface IP that you would like to use, as this same IP address needs to be used for the AAA client in ISE later on.

    In order to complete the configuration on Prime. You will need to enable TACACS under Administration / Users / Users, Roles & AAA under the AAA mode settings tab.

    (Note: It is recommended to check the Enable fallback to Local option, with either ONLY on no server response or the On no response or failure option, especially while testing the configuration)

    212201-Configure-Prime-3-1-TACACS-authenticatio-01.png

    ISE configuration

    Configure Prime as a AAA client on ISE at Work Centers / Device Administration / Network Resources / Network Devices / Add

    212201-Configure-Prime-3-1-TACACS-authenticatio-02.png

    Enter the information for the Prime server. The required attributes you need to include are Name, IP address, select the option for TACACS and the Shared Secret. You may additionally wish to add a Device Type, specifically for Prime, in order to use later on as a Condition for the Authorization Rule or other information, however this is optional.

    212201-Configure-Prime-3-1-TACACS-authenticatio-03.jpeg

    Then create a TACACS profile result to send the required attributes from ISE to Prime, to provide the correct level of access. Navigate to Work Centers / Policy Results / Tacacs Profiles and select the Add option.

    212201-Configure-Prime-3-1-TACACS-authenticatio-04.png

    Configure the name, and use the Raw View option in order to enter the attributes under the Profile attributes box. The attributes will come from the primer server itself.

    212201-Configure-Prime-3-1-TACACS-authenticatio-05.jpeg

    Get the attributes under the Administration / Users/ Users, Roles & AAA screen, and select the User Groups tab. Here you select the Group level of access you wish to provide. In this example Admin access is provided by selecting the appropriate Task List on the left hand side. 

    212201-Configure-Prime-3-1-TACACS-authenticatio-06.jpeg

    Copy all of the TACACS custom attributes.

    212201-Configure-Prime-3-1-TACACS-authenticatio-07.png

    Then paste them in the Raw View section of the Profile on ISE.

    212201-Configure-Prime-3-1-TACACS-authenticatio-08.jpeg

    Virtual Domain custom attributes are mandatory. Root-Domain information can be found under Prime Administration -> Virtual Domains.

    212201-Configure-Prime-3-1-TACACS-authenticatio-09.jpeg

    Name of Prime Virtual Domain has to be added as attribute virtual-domain0="virtual domain name"

    212201-Configure-Prime-3-1-TACACS-authenticatio-10.jpeg

    Once that is done all you need to do is create a rule to assign the Shell Profile created in the previous step, under Work Centers / Device Administration / Device Admin Policy Sets

    (Note: “Conditions” will vary depending on deployment, however you may use "Device Type" specifically for Prime or another type of filter such as Prime’s IP address, as one of the “Conditions” so that this rule properly filters requests)

    212201-Configure-Prime-3-1-TACACS-authenticatio-11.png

    At this point the configuration should be complete.

    Troubleshoot


    If this configuration is unsuccessful and if the local fall back option was enable on Prime, you can force a fail over from ISE, by removing the IP address of Prime. This will cause ISE to not respond and force the use of local credentials. If local fallback is configured to be performed on a reject, the local accounts will still work and provide access to the customer.

    If ISE shows a successful authentication and is matching the correct rule however Prime is still rejecting the request you may wish to double check the attributes are configured correctly in the profile and no additional attributes are being sent.

    Revision History

    Revision Publish Date Comments
    1.0
    08-Oct-2017
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • William Patrick Soler Webster
      Cisco TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products