Configure TACACS+ Authentication on CIMC with ISE Server

Available Languages

Download Options

  • PDF     (329.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (385.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (315.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 29, 2021
Document ID:217269

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the configuration of Terminal Access Controller Access-Control System Plus (TACACS+) authentication on Cisco Integrated Management Controller (CIMC).

    TACACS+ is commonly used to authenticate network devices with a central server. Since release version 4.1(3b), Cisco IMC supports TACACS+ authentication. TACACS+ support on CIMC eases the effort to manage multiple user accounts that have access to the device. This feature is of help to periodically change user’s credentials and manage user accounts remotely.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Integrated Management Controller (CIMC)
    • Terminal Access Controller Access-Control System Plus (TACACS+)

    Components Used

    The information in this document is based on these software and hardware versions:

    • UCSC-C220-M4S
    • CIMC Version: 4.1(3b)
    • Cisco Identity Services Engine (ISE) version 3.0.0.458

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    TACACS+ Server-Side Configuration for Privilege Association

    The privilege level of the user is calculated based on the cisco-av-pair value configured for that user. A cisco-av-pair needs to be created on the TACACS+ server for and users cannot use any default TACACS+ attributes. The three syntaxes as shown below are supported for the cisco-av-pair attribute

    For admin privilege:

     cisco-av-pair=shell:roles="admin"

    For user privilege:

    cisco-av-pair=shell:roles="user"

    For read-only privilege:

     cisco-av-pair=shell:roles="read-only"

    To support other devices, if other roles need to be added then they can be added with a comma as a separator. For example, UCSM supports aaa, so shell:roles=”admin,aaa” can be configured and CIMC accepts this format.

    Note: If cisco-av-pair is not configured on the TACACS+ server, then a user with that server has a read-only privilege.

    ISE Configuration Requirements

    The management IP of the server must be allowed on the ISE Network Devices.

    Shared Secret password to be entered on CIMC.

    Shell Profile with cisco-av-pair attribute with admin permissions.

    TACACS+ Configuration on CIMC

    Step 1. Navigate to Admin > User Management > TACACS+

    Step 2. Select the checkbox to enable TACACS+

    Step 3. A new server can be added at any of the 6 rows specified in the table. Click on the row or select the row and click on the edit button on top of the table, as shown in this image.

    Note: In the case where a user has enabled TACACS+ fallback on no connectivity option, CIMC enforces that the first authentication precedence must always be set to TACACS+ otherwise the fallback configuration might become irrelevant.

    Step 4. Fill in the IP address or hostname, port, and Server key/Shared secret and Save the configuration.

    Cisco IMC supports up to six TACACS+ remote servers. Once a user is successfully authenticated, the username is appended with (TACACS+).

    This is also displayed in the Session Management

    Verify

    • A maximum of 6 TACACS+ servers can be configured on the CIMC.

    • The secret key associated with the server can be of a maximum 64 characters in length.
    • The timeout can be configured between 5 and 30 seconds (which evaluates to the max as 180 seconds to be in line with LDAP).
    • If a TACACS+ server needs to use the service name to create the cisco-av-pair, then users need to use Log in as the service name.
    • No redfish support to modify the configurations.

    Verify Configuration from CLI in CIMC

    • Verify if TACACS+ is enabled.
    C220-WZP22460WCD# scope tacacs+
    C220-WZP22460WCD /tacacs+ # show detail
    TACACS+ Settings:
    Enabled: yes
    Fallback only on no connectivity: no
    Timeout(for each server): 5
    • Verify configuration details per server.
    C220-WZP22460WCD /tacacs+ # scope tacacs-server 1
    C220-WZP22460WCD /tacacs+/tacacs-server # show detail
    Server Id 1:
    Server IP address/Hostname: 10.31.126.220
    Server Key: ******
    Server Port: 49

    Troubleshoot

    • Ensure that TACACS+ Server IP is reachable from the CIMC and the port is configured correctly.
    • Ensure that the cisco-av-pair is correctly configured on the TACACS+ server.
    • Check if the TACACS+ server is reachable (IP and port).
    • Make sure the secret key or credentials match with the ones configured on the TACACS+ server.
    • If you can log in with TACACS+ but only have read-only permissions, verify if cisco-av-pair has the correct syntax on the TACACS+ server.

    ISE Troubleshoot

    • Verify Tacacs Live logs for one of the authentication attempts. Status must be Pass.

    • Verify the response has the correct cisco-av-pair attribute configured.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    29-Jul-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ana Montenegro
      Cisco TAC Engineer
    • Adrian Lira
      Cisco TAC Engineer
    • Alejandra Ortiz
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products