ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series



Similar documents
PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Send document comments to

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Lab Configure Basic AP Security through IOS CLI

Device Interface IP Address Subnet Mask Default Gateway

Configuring CSS Remote Access Methods

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Configuring the Firewall Management Interface

Cisco TrustSec How-To Guide: Guest Services

Firewall Authentication Proxy for FTP and Telnet Sessions

Basic System. Vyatta System. REFERENCE GUIDE Using the CLI Working with Configuration System Management User Management Logging VYATTA, INC.

F-SECURE MESSAGING SECURITY GATEWAY

HTTP 1.1 Web Server and Client

- The PIX OS Command-Line Interface -

How To - Implement Clientless Single Sign On Authentication with Active Directory

F-Secure Messaging Security Gateway. Deployment Guide

Lab Organizing CCENT Objectives by OSI Layer

Objectives. Background. Required Resources. CCNA Security

NetIQ Advanced Authentication Framework - MacOS Client

Setting Up Scan to SMB on TaskALFA series MFP s.

IIS, FTP Server and Windows

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Configuring Auto Policy-Based Routing

Configuring the Content Routing Software

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

Using the Advanced GUI

Managing User Accounts

Configuring SSH and Telnet

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

Cisco ISE Command-Line Interface

Installing and Using the vnios Trial

Configuring Password Encryption

Configuring RADIUS Authentication for Device Administration

Network Load Balancing

Configuring Password Encryption

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

NetSpective Global Proxy Configuration Guide

Managing User Accounts

Providing Credentials

On-boarding and Provisioning with Cisco Identity Services Engine

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Dynamic DNS How-To Guide

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Configuring the Cisco Secure PIX Firewall with a Single Intern

Lab Load Balancing Across Multiple Paths

Siteminder Integration Guide

Lab 2 - Basic Router Configuration

Configuring a Leased Line

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

SevOne NMS Download Installation and Implementation Guide

Deployment Guide A10 Networks/Infoblox Joint DNS64 and NAT64 Solution

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

7750 SR OS System Management Guide

Configuring Global Protect SSL VPN with a user-defined port

Configuring Basic Settings

Enabling Remote Access to the ACE

ICND IOS CLI Study Guide (CCENT)

SOA Software API Gateway Appliance 7.1.x Administration Guide

Geschreven door Administrator woensdag 13 februari :37 - Laatst aangepast woensdag 13 februari :05

Configuring Sponsor Authentication

Using RADIUS Agent for Transparent User Identification

Configuring System Message Logging

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

Integrating LANGuardian with Active Directory

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Skills Assessment Student Training Exam

Lab Developing ACLs to Implement Firewall Rule Sets

Router Lab Reference Guide

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

NetBrain Discovery Appliance Manual

NSi Mobile Installation Guide. Version 6.2

Installing and Configuring vcloud Connector

NAC Guest. Lab Exercises

Configuring DNS. Finding Feature Information

Quick Start Guide. for Installing vnios Software on. VMware Platforms

Wavelink Avalanche Mobility Center Java Console User Guide. Version 5.3

Tracking Network Changes Using Change Audit

Lab Configuring Syslog and NTP (Instructor Version)

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

Configuring NTP. Information About NTP. NTP Overview. Send document comments to CHAPTER

Laboration 3 - Administration

NAT TCP SIP ALG Support

DIGIPASS Authentication for Cisco ASA 5500 Series

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Configuring the Switch with the CLI Setup Program

Guideline for setting up a functional VPN

Managing User Accounts

Remote Management. Vyatta System. REFERENCE GUIDE SSH Telnet Web GUI Access SNMP VYATTA, INC.

- Basic Router Security -

Network Monitoring User Guide Pulse Appliance

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

Using Two-Factor Authentication Configuration to Combat Cybersecurity Threats

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Transcription:

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices Secure Access How-to User Series Author: Technical Marketing, Policy and Access, Security Business Group, Cisco Systems Date: January 2016

Table of Contents Table of Contents... 2 About This Guide... 3 Overview... 3 Using This Guide... 3 Components Used... 3 ISE Configuration for Device Administration... 4 Licensing Device Administration on ISE... 4 Enabling Device Administration on ISE... 4 Device Administration Work Center... 5 Network Device and Network Device Groups... 5 Identity Stores... 7 TACACS Profiles... 8 NX-OS Operator... 8 NX-OS Admin... 9 NX-OS Security... 9 TACACS Command Sets... 9 HelpDesk Commands... 9 Permit All Commands... 10 NX-OS Security Commands... 10 Device Admin Policy Sets... 11 NX-OS Configuration for TACACS+... 13 TACACS+ Authentication and Fallback... 14 TACACS+ Command Authorization... 14 TACACS+ Command Accounting... 14 What s Next?... 15 Cisco Systems 2016 Page 2

About This Guide Overview Terminal Access Controller Access Control System Plus (TACACS+) is a client-server protocol that provides centralized security control for management access to routers and many types of network access devices. TACACS+ provides these AAA services: Authentication Who the users are Authorization What they are allowed to do Accounting Who did what and when This document provides configuration examples for TACACS+ with the Cisco Identity Services Engine (ISE) as the TACACS+ server and a Cisco NX-OS network device as the TACACS+ client. Using This Guide This guide divides the activities into two parts to enable ISE to manage administrative access for Cisco NX-OS based network devices. Part 1 Configure ISE for Device Administration Part 2 Configure Cisco NX-OS for TACACS+ Components Used The information in this document is based on the following software and hardware version: ISE VMware virtual appliance, Release 2.0 Cisco Nexus1000V (N1Kv) for VMware vsphere, Cisco NX-OS 5.2(1)SV3(1.10) It works on most of Cisco NX-OS devices. The materials in this document are created from the devices in a lab environment. All of the devices are started with a cleared (default) configuration. Cisco Systems 2016 Page 3

ISE Configuration for Device Administration Licensing Device Administration on ISE Device Administration (TACACS+) is licensed per deployment, but requires existing and valid ISE base or mobility licenses. Enabling Device Administration on ISE The Device Administration service (TACACS+) is not enabled by default in an ISE node. The first step is to enable it. Step 1 Step 2 Log in to the ISE admin web portal using one of the supported browsers. Navigate to Administration > System > Deployment. Select the check box next to the ISE node and click Edit. Step 3 Figure 1. ISE Deployment Page Under General Settings, scroll down and select the check box next to Enable Device Admin Service. Figure 2. ISE Deployment General Settings Cisco Systems 2016 Page 4

Step 4 Save the configuration. Device Administration Service is now enabled on ISE. Device Administration Work Center ISE 2.0 introduces Work Centers, each of which encompasses all the elements for a particular feature. Step 1 Go to Work Centers > Device Administration > Overview Figure 3. Device Administration Overview The Device Administration Overview provides the high-level steps for the Use Case. Network Device and Network Device Groups ISE provides powerful device grouping with multiple device group hierarchies. Each hierarchy represents a distinct and independent classification of network devices. Step 1 Navigate to Work Centers > Device Administration > Network Device Groups Figure 4. Network Device Groups Cisco Systems 2016 Page 5

Step 2 All Device Types and All Locations are default hierarchies provided by ISE. You may add your own hierarchies and define the various components in identifying a Network Device which can be used later in the Policy Conditions. After defining hierarchies, the Network Device Groups will look similar to the following: Figure 5. Network Device Group Tree View Step 3 Now, add an N1Kv as a Network Device. Go to Work Centers > Device Administration > Network Resources. Click Add to add a new Network Device DMZ_BLDO_N1Kv. Figure 6. Adding Network Device Enter the IP address of the Device and make sure to map the Location and Device Type for the Device. Finally, Enable the TACACS+ Authentication Settings and specify the Shared Secret. Cisco Systems 2016 Page 6

Identity Stores This section defines an Identity Store for the Device Administrators, which can be the ISE Internal Users and any supported External Identity Sources. Here uses Active Directory (AD), an External Identity Source. Step 1 Go to Administration > Identity Management > External Identity Stores > Active Directory. Click Add to define a new AD Joint Point. Specify the Join Point name and the AD domain name and click Submit. Figure 3. Adding AD Join Point Step 2 Click Yes when prompted Would you like to Join all ISE Nodes to this Active Directory Domain? Input the credentials with AD join privileges, and Join ISE to AD. Check the Status to verify it operational. Figure 4. Joining ISE to AD Step 3 Go to the Groups tab, and click Add to get all the groups needed based on which the users are authorized for the device access. The following example shows the groups used in the Authorization Policy in this guide Figure 5. AD Groups Cisco Systems 2016 Page 7

TACACS Profiles The Cisco TACACS+ implements cisco-av-pair, a vendor-specific attribute (VSA) option in the Internet Engineering Task Force (IEFT) specification, in the format protocol : attribute separator value * When Cisco NX-OS devices use TACACS+ for authentication, the TACACS+ server returns user attributes along with authentication results, in Cisco VSAs. For TACACS+ authentications, the Cisco NX-OS software supports: Shell as the protocol in access-accept packets to provide user profile information. Roles as the attribute in access-accept packets to list all the roles to which the user belongs. The role names are delimited by white spaces. Each user role contains one or more rules that define the operations allowed for the users assigned to the role. Each user can have multiple roles so to execute a combination of all commands permitted by the roles. The predefined roles on NX-OS devices differ among NX-OS platforms. Two common ones are: network-admin predefined network admin role has complete read-and-write access to all commands on the switch; available in the default virtual device context (VDC) only if the devices (e.g. Nexus 7000) have multiple VDCs. Use NX-OS CLI command show cli syntax roles network-admin to see the full command list available for this role. network-operator predefined network admin role has complete read access to all commands on the switch; available in the default VDC only if the devices (e.g. Nexus 7000) have multiple VDCs. Use NX-OS CLI command show cli syntax roles network-operator to see the full command list available for this role. The recent NX-OS releases allow to create up to 64 user-defined roles in a VDC. User-defined user roles, by default, permit access to the commands show, exit, end, and configure terminal only, so we need to add rules and role features to grand additional access. To see the list of commands allowed by each role feature, issue NX-OS CLI show role feature name <feature-name>. To see that for all role features, issue NX-OS CLI show role feature detail. The following example shows what available for the feature interface: N1Kv# show role feature name interface interface (Interface configuration commands) show interface * config t ; interface * If TACACS+ users have the same user names defined locally on the Cisco NX-OS device, the Cisco NX-OS software applies the user roles for the local user accounts but not those configured on the TACACS+ server. We will define three TACACS Profiles NX-OS Operator, NX-OS Admin, and NX-OS Security. NX-OS Operator Step 4 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Profiles. Add a new TACACS Profile and name it NX-OS Operator. Step 5 Scroll down to the Custom Attributes section to add the attribute as: Cisco Systems 2016 Page 8

Step 6 Step 7 Step 8 Type Name Value Mandatory shell:roles network-operator Click the check mark at the end of the entry to keep the line. Click the tab [ Raw View ], and it shows: Profile Attributes shell:roles=network-operator Click Submit to save the profile. NX-OS Admin Step 9 Step 10 Step 11 Step 12 Step 13 Add another profile and name it NX-OS Admin. Scroll down to the Custom Attributes section to add the attribute as: Type Name Value Mandatory shell:roles network-admin Click the check mark at the end of the entry to keep the line. Click the tab [ Raw View ], and it shows: Profile Attributes shell:roles=network-admin Click Submit to save the profile. NX-OS Security Step 14 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Profiles. Add a new TACACS Profile and name it NX-OS Operator. Step 15 Scroll down to the Custom Attributes section to add the attribute as: Type Name Value Mandatory shell:roles network-operator demo-security We enclose the value with double quotes because it has two role names, which are separated by a space character. The role demo-security is a user-defined role and will be configured later on the NX-OS device. Step 16 Click the check mark at the end of the entry to keep the line. Step 17 Click the tab [ Raw View ], and it shows: Profile Attributes shell:roles= network-operator demo-security Step 18 Click Submit to save the profile. TACACS Command Sets NX-OS command authorization queries the configured TACACS+ server to verify whether the Device Administrators are authorized to issue the commands. NX-OS normally authorizes on user roles. To fine tune available commands, ISE can provide a list of commands granted to the users. We define three commands sets -- HelpDesk_Commands, Permit_All_Commands, and NX-OS_Security_Commands. HelpDesk Commands This is the same as that in the guide for IOS devices. Please skip this section if it already defined. Cisco Systems 2016 Page 9

Step 19 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Command Sets. Add a new set and name it HelpDesk_Commands. Step 20 Click +Add to configure entries to the set: Grant Command Argument PERMIT debug PERMIT undebug PERMIT traceroute DENY ping ^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.255$ PERMIT ping PERMIT show We allow helpdesk analysts to perform debug, undebug, traceroute, and show. For ping, they are restricted from broadcast pings, assuming the network subnets with broadcast addresses ending with.255, as shown in the regular expression in the argument column. Step 21 Step 22 Click the check mark at the end of each entry to keep the line. Click Save to persist the command set. Permit All Commands This is the same as that in the guide for IOS devices. Please skip this section if it already defined. Step 23 Step 24 Step 25 Add a new set and name it Permit_All_Commands. Tick the checkbox next to Permit any command that is not listed below, and leave the command list empty. Grant Command Argument Click Save to persist the command set. NX-OS Security Commands Step 26 On the ISE Administrative Web Portal, go to Work Centers > Device Administration > Policy Results > TACACS Command Sets. Add a new set and name it NX-OS_Security_Commands. Step 27 Tick the checkbox next to Permit any command that is not listed below. Step 28 Click +Add to configure entries to the set: Grant Command Argument DENY interface mgmt0 DENY interface control0 We allow security analysts to execute any commands other than to configure interfaces mgmt0 and control0. Step 29 Click the check mark at the end of each entry to keep the line. Step 30 Click Save to persist the command set. Cisco Systems 2016 Page 10

Device Admin Policy Sets Policy Sets are enabled by default for Device Administration. Policy Sets can divide polices based on the Device Types so to ease application of TACACS profiles. For example, Cisco IOS devices use Privilege Levels and/or Command Sets whereas Cisco NX-OS devices use Custom Attributes. Step 1 Navigate to Work Centers > Device Administration > Device Admin Policy Sets. Add a new Policy Set NX-OS Devices: S Name Description Conditions NX-OS Devices DEVICE:Device Type EQUALS Device Type#All Device Types#Network Devices#NX-OS Devices Figure 6. Policy Set Condition Step 2 Create the Authentication Policy. For Authentication, we use the AD as the ID Store. Authentication Policy Default Rule (if no match) : Allow Protocols : Default Device Administration and use: demoad Figure 7. Authentication Policy Step 3 Define the Authorization Policy. Here we define the authorization policy based on the user groups in AD and the location of the device. For example, the users in AD group West Coast can access only the devices located in West Coast. S Rule Name Conditions Command Sets Shell Profiles HelpDesk DEVICE:Location CONTAINS All West Locations#West_Coast securitydemo.net/demogroups/west_coast HelpDesk_Commands NX-OS Operator HelpDesk East Security West securitydemo.net/demogroups/helpdesk DEVICE:Location CONTAINS All Locations#East_Coast securitydemo.net/demogroups/east_coast securitydemo.net/demogroups/helpdesk DEVICE:Location CONTAINS All Locations#West_Coast securitydemo.net/demogroups/west_coast securitydemo.net/demogroups/security_operators HelpDesk_Commands NX-OS_Security_Commands NX-OS Operator NX-OS Admin Cisco Systems 2016 Page 11

S Rule Name Conditions Command Sets Shell Profiles Security DEVICE:Location CONTAINS All East Locations#East_Coast securitydemo.net/demogroups/east_coast NX-OS_Security_Commands NX-OS Admin Admin West Admin East securitydemo.net/demogroups/security_operators DEVICE:Location CONTAINS All Locations#West_Coast securitydemo.net/demogroups/west_coast securitydemo.net/demogroups/network_operators DEVICE:Location CONTAINS All Locations#East_Coast securitydemo.net/demogroups/east_coast securitydemo.net/demogroups/network_operators Default if no matches, then DenyAllCommands Figure 8. Authorization Policy Permit_All_Commands Permit_All_Commands NX-OS Admin NX-OS Admin We are now done with the ISE configuration for Device Administration for NX-OS devices. Cisco Systems 2016 Page 12

NX-OS Configuration for TACACS+ SSH is enabled by default on Cisco NX-OS devices so we need only to ensure proper IP addressing for the management interface, before configuring TACACS+. ip domain-name securitydemo.net switchname N1Kv interface mgmt0 ip address 10.1.100.180/24 no shutdown vrf context management ip route 0.0.0.0/0 10.1.100.1!!! disable DNS lookup!!! no ip domain-lookup!!! VLANs!!!! vlan 100 name mgt!!! Define VTY access!!! ip access-list vtyaccess 10 permit tcp 10.1.100.0/24 10.1.100.180/32 eq 22 20 deny ip any any line console exec-timeout 0 line vty access-class vtyaccess in Since we have a valid IP address for the above sample network device at this stage, we can SSH to this NX-OS device from a client in 10.1.100.0/24. Note that we disable EXEC timeout for CONSOLE so to avoid possible access issue during AAA configuration. TACACS+ AAA on a Cisco NX-OS device can be configured in the following sequence: 1. Enable TACACS+ Authentication and Fallback 2. Enable TACACS+ Command Authorization 3. Enable TACACS+ Command Accounting Cisco Systems 2016 Page 13

TACACS+ Authentication and Fallback TACACS+ authentication can be enabled with a configuration similar to the following: tacacs+ enable role name demo-security description A user-defined role example for demo purposes rule 10 permit read-write feature interface interface policy deny permit interface Vethernet1 tacacs-server host 10.1.100.21 key ISEisC00L timeout 10 tacacs-server host 10.1.100.21 test username tp-test password tp-test idle-time 60 aaa group server tacacs+ demotg server 10.1.100.21 deadtime 10 use-vrf management source-interface mgmt 0 aaa authentication login ascii-authentication aaa authentication login default group demotg aaa authentication login console local We have thus switched to TACACS+ to authenticate the VTY lines. Since no TACACS+ command authorization yet, the TACACS+ users are currently authorized based on their user roles. In the events that the configured TACSACS+ server becomes unavailable, the login authentication falls back to use the local user database. TACACS+ Command Authorization This is optional, as users can be authorized on their roles. TACACS+ Command Authorization for the configuration mode and for the EXEC mode can be enabled by adding the following: aaa authorization config-commands default group demotg local aaa authorization commands default group demotg local TACACS+ Command Accounting Command accounting sends info about each command executed, which includes the command, the date, and the username. The following adds to the previous configuration example to enable this accounting feature: aaa accounting default group demotg We are done with the NX-OS configuration for TACACS+. Cisco Systems 2016 Page 14

What s Next? Configuration for Device Administration for Cisco NX-OS is completed. We will need to validate the configuration. Step 1 Step 2 Step 3 SSH and log into the NX-OS devices as various roles. Once on the device command-line interface (CLI), verify that the user has access to the right commands. For example, a Helpdesk user should be able to ping a regular IP address (e.g. 10.1.10.1) but denied to ping a broadcast address (e.g. 10.1.10.255). To show the user connections and role(s), issue show users show user-account [<user-name>] A sample output is shown below: N1Kv# show users NAME LINE TIME IDLE PID COMMENT admin ttys0 Jan 11 02:50. 21234 hellen pts/0 Jan 11 02:52. 21697 (10.1.100.6) session=ssh * N1Kv# show user-account hellen user:hellen roles:network-operator account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible... Step 4 The following debugs are useful in troubleshooting TACACS+: debug tacacs+ aaa-request Here is a sample debug output: 2016 Jan 11 03:03:08.652514 tacacs[6288]: process_aaa_tplus_request:checking for state of mgmt0 port with servergroup demotg 2016 Jan 11 03:03:08.652543 tacacs[6288]: process_aaa_tplus_request: Group demotg found. corresponding vrf is management 2016 Jan 11 03:03:08.652552 tacacs[6288]: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf:management of requested group 2016 Jan 11 03:03:08.652559 tacacs[6288]: process_aaa_tplus_request:port_check will be done 2016 Jan 11 03:03:08.652568 tacacs[6288]: state machine count 0 2016 Jan 11 03:03:08.652677 tacacs[6288]: is_intf_up_with_valid_ip(1258):proper IOD is found. 2016 Jan 11 03:03:08.652699 tacacs[6288]: is_intf_up_with_valid_ip(1261):port is up. 2016 Jan 11 03:03:08.653919 tacacs[6288]: debug_av_list(797):printing list 2016 Jan 11 03:03:08.653930 tacacs[6288]: 35 : 4 : ping 2016 Jan 11 03:03:08.653938 tacacs[6288]: 36 : 12 : 10.1.100.255 2016 Jan 11 03:03:08.653945 tacacs[6288]: 36 : 4 : <cr> 2016 Jan 11 03:03:08.653952 tacacs[6288]: debug_av_list(807):done printing list, exiting function 2016 Jan 11 03:03:08.654004 tacacs[6288]: tplus_encrypt(659):key is configured for this aaa sessin. 2016 Jan 11 03:03:08.655054 tacacs[6288]: num_inet_addrs: 1 first s_addr: -1268514550 180.100.1.10 s6_addr : 0a01:64b4:: 2016 Jan 11 03:03:08.655065 tacacs[6288]: non_blocking_connect(259):interface ip_type: IPV4 2016 Jan 11 03:03:08.656023 tacacs[6288]: non_blocking_connect(369): Proceeding with bind 2016 Jan 11 03:03:08.656216 tacacs[6288]: non_blocking_connect(388): setsockopt success error:22 Cisco Systems 2016 Page 15

2016 Jan 11 03:03:08.656694 tacacs[6288]: non_blocking_connect(489): connect() is in-progress for server 10.1.100.21 2016 Jan 11 03:03:08.679815 tacacs[6288]: tplus_decode_authen_response: copying hostname into context 10.1.100.21 Step 5 From the ISE GUI, navigate to Operations > TACACS Livelog. All the TACACS authentication and authorization requests are captured here, and the details button provides detailed information about why a particular transaction passed/failed. Figure 9. TACACS Livelogs Step 6 For historic reports: Go to Work Centers > Device Administration > Reports > Device Administration to get the authentication, authorization, and accounting reports. Cisco Systems 2016 Page 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information