Beruflich Dokumente
Kultur Dokumente
Table of Contents
About this Guide ............................................................................................................................................................. 3
Overview .................................................................................................................................................... 3
Using this Guide ......................................................................................................................................... 3
Components Used ..................................................................................................................................... 3
ISE Configuration for Device Admin ............................................................................................................................. 4
Enabling Device Admin on ISE .................................................................................................................. 4
Device Admin Work Center ........................................................................................................................ 5
Configuring Network Device and Network Device Groups ......................................................................... 5
Defining Identity Stores .............................................................................................................................. 7
Configuring TACACS Profiles .................................................................................................................... 8
Device Admin Policy Sets .......................................................................................................................... 9
WLC Configuration for TACACS+ ................................................................................................................................ 12
Add a TACACS+ Authentication Server ................................................................................................... 12
Add a TACACS+ Authorization Server ..................................................................................................... 13
Add a TACACS+ Accounting Server ........................................................................................................ 13
Configure the Order of Authentication ...................................................................................................... 14
What’s Next? ................................................................................................................................................................. 15
This document provides configuration examples for TACACS+ with the Cisco Identity Services Engine (ISE) as the
TACACS+ server and a Cisco Wireless LAN Controller (WLC) as the TACACS+ client.
Components Used
The information in this document is based on the software and hardware versions below:
The materials in this document are created from the devices in a lab environment. All of the devices are started with a
cleared (default) configuration.
Step 4 Save the configuration. Device Admin Service is now enabled on ISE.
The Device Administration Overview provides the high-level steps needed for the Device Admin Use Case.
All Device Types and All Locations are default hierarchies provided by ISE. You may add your own
hierarchies or define the various components for identifying a Network Device which will be used later in
the Policy Conditions.
Step 2 After defining various hierarchies, the Network Device Groups will look similar to the following:
Enter the IP address of the Device and make sure to map the Location and Device Type for the Device.
Finally, Enable the TACACS+ Authentication Settings and specify the Shared Secret.
Step 2 Click Yes when prompted “Would you like to Join all ISE Nodes to this Active Directory Domain?”
Input the credentials with AD join privileges, and Join ISE to AD. Check the Status to verify it operational.
Step 3 Go to the Groups tab, and click on Add to get all the groups needed based on which the users are
authorized for the device access. Below shows the groups used in the Authorization Policy in this guide
Figure 5. AD Groups
WLC uses TACACS+ Custom Attributes, which need to be defined as role1, role2, etc. The available roles are
MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMAND, ALL, and
LOBBY. The first seven correspond to the menu options on the WLC admin web UI. You may enter one or more roles
to allow read and write access to the particular features, and read-only for the rest.
To grant read and write access to WLAN, SECURITY and CONTROLLER, then enter the following text:
role1=WLAN
role2=SECURITY
role3=CONTROLLER
Step 1 On the ISE GUI, go to Work Centers > Device Administration > Policy Results > TACACS Profiles.
Add a new TACACS Profile called WLC_Monitor_Only. Scroll down to the Custom Attributes section
to define access to only the MONITOR.
Step 2 Create the Authentication Policy. For Authentication, we will be using the Active Directory as the ID Store.
Step 3 Define the Authorization Policy. Here we will be defining the authorization policy based on the users
Group in Active Directory and the location of the device. For example, the users in Active Directory group
West Coast can access only the devices located in West Coast whereas the users in Active Directory group
East Coast can access only the devices located in East Coast.
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/West_Coast
AND
DEVICE:Location CONTAINS All Locations#West_Coast
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/East_Coast
AND
DEVICE:Location CONTAINS All Locations#East_Coast
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/West_Coast
AND
DEVICE:Location CONTAINS All Locations#West_Coast
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/East_Coast
AND
DEVICE:Location CONTAINS All Locations#East_Coast
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/West_Coast
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/West_Coast
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/West_Coast
AND
DEVICE:Location CONTAINS All Locations#West_Coast
AND
demoAD:ExternalGroups EQUALS
securitydemo.net/DemoGroups/East_Coast
AND
DEVICE:Location CONTAINS All Locations#East_Coast
Default DenyAllCommands
We are now done with the ISE configuration for Device Admin for WLC devices
In order to configure TACACS+ in the WLC controller, you need to complete these steps:
1. Add a TACACS+ Authentication Server
2. Add a TACACS+ Authorization Server
3. Add a TACACS+ Accounting Server
4. Configure the Priority Order of Management User Authentication
Step 2 Enter the IP address of the ISE server as the TACACS+ server and the shared secret key.
Step 2 Add the IP address of the ISE server as the server IP address and the shared secret key.
Step 2 Enter the IP address of the ISE server as the server IP address and the shared secret key.
What’s Next?
At this point, all the needed configuration for Device Admin for WLC is completed. You will need to validate the
configuration.
Step 1 Login to WLC as various users belonging to the different groups and accessing different devices.
Step 2 When you login, verify that the user has access to the right tabs.
Step 3 For a user, who is a Helpdesk user, navigate to the different tabs and try to add/modify/delete. For example,
go to WLANs and try to delete one of the WLAN. As this user has only MONITOR access, the operation
should be denied with the following error
Step 4 From the ISE GUI, navigate to Operations > TACACS Livelog. All the TACACS authentication and
authorization requests are captured here and the details button will give detailed information of why a
particular transaction passed/failed.
Step 5 For historic reports, on ISE go to Work Centers > Device Administration > Reports > Device
Administration to get the authentication, authorization and accounting reports.