Configure Cisco Prime TACACS+ Authentication w/ ISE 2.4

ByChase Smith Hours Updated on Categories Networking, Network Security, System Administration

If you’re using Cisco Identity Services Engine (ISE) 2.4 for your TACACS+ Authentication and you use Cisco Prime then you’ll be happy to know integrating the two is super simple.

If you followed my Cisco ISE TACACS+ guides then it’ll be even easier because my screenshots will be pretty close to what you’re running.

Related: Configure New Cisco ISE 2.4 Install for Use as TACACS+ Server

Adding Prime to Cisco ISE Network Resources

The first thing we need to do is add our Prime Server to Cisco ISE 2.4 as a network resource that we can match up to when authenticating.

  1. Navigate to Work Centers -> Device Administration -> Network Resources -> Network Devices and click Add
    Screenshot showing cisco ise add network device
  2.  Fill in the Name and enter the IP of your Prime server as you would any other network device. You can leave Device Profile to Cisco if unless you have reason to use otherwise.
    Screenshot showing adding cisco prime to cisco ise 24 tacacs
  3. Check the box next to TACACS Authentication Settings to expand the options and fill in your shared secret. Click Save.
    Screenshot showing cisco prime ise tacacs shared secret

Configuring Cisco ISE TACACS Profile for Cisco Prime

Now we need to tell Cisco ISE how to interpret the data from Cisco Prime so that when we sign in we have the correct permissions. We will do this using a new TACACS Profile and updating our Authorization Policy.

  1. Navigate to Work Centers -> Device Administration -> Policy Elements -> Results -> TACACS Profiles and click on +Add.
    Screenshot showing new tacacs profile cisco ise
  2. Give the Profile a Name (I’m using PRIME ALL) and click on Raw View.
    Screenshot showing new tacacs profile cisco ise raw view
  3. Now we need to head over to Cisco Prime to collect the data that we will paste into the Profile Attributes box under Raw View.
  4. Log into Prime, click on the Menu icon in the upper left corner of the screen, and navigate to Administration -> Users, Roles & AAA -> User Groups and then click on the Task List hyperlink next to the group that you want your account to be part of when authenticating through TACACS+. In my case I’m using Admin.
    Screenshot showing cisco prime user group task list
  5. Copy all of the contents of the Task List box.
    Screenshot showing cisco prime user group task list copy
  6. Paste the contents you just copied into Cisco ISE in the box under Raw View where we left off earlier at step 2.
    Screenshot showing pasting task list into cisco ise raw view
  7. Scroll to the bottom of the Raw View box and add a new line starting with virtual-domain0= as pictured below.
    Screenshot showing cisco prime task list vitual domain
  8. Head back to Prime and Navigate to the Menu Icon -> Administration -> Users -> Virtual Domains and copy the name of the virtual domain you’re using. In my case it’s ROOT-DOMAIN.
  9. Go back to Cisco ISE to the Raw View box and add your virtual domain to the line starting with virtual-domain0= as pictured. In my case the final line in the Raw View box is now virtual-domain0=ROOT-DOMAIN.
    Screenshot showing cisco prime task list vitual domain
  10. Click Save.

Configuring Cisco ISE Authorization Policy for Cisco Prime

Now we need to update your Authorization Policy.

  1. Go to Cisco ISE and navigate to Work Centers -> Device Administration -> Device Admin Policy Sets and click the right arrow to view your Policy. In my case I’m using the default policy.
    Screenshot showing cisco ise view policy set default profile
  2. Expand Authorization Policy and click the Plus Icon to Add a new policy. Create a policy with your desired conditions using the Command Set Permit All and the Shell Profile (TACACS Profile) you created earlier using the Task List and Raw View box. You can see an example of my config here where if a npgdom.com domain user that is part of the Prime Admins group in AD signs into my Prime server at 10.2.2.2 they will be granted the unrestricted command set and PRIME ALL TACACS Profile based on the Admin group task list from Prime:
    Screenshot showing cisco ise prime authorization policy
  3. Click Save when you’re finished.

Configuring Cisco Prime to Use TACACS+ Authentication

Now that Cisco ISE knows what to do with domain user’s that log into the Prime Server, we need to tell the Prime Server to use TACACS+ for it’s authentication.

  1. Go to Prime and navigate to Administration -> Users -> Users, Roles & AAA -> AAA Mode Settings and tick the radio button next to TACACS+ and check Enable fallback to Local.
    Screenshot showing enabling cisco prime tacacs plus fallback
  2. Choose which fallback method you want and click Save.

At this point you should be able to open a different browser or incognito window and log into your Prime server using your AD credentials (or whatever credentials you use with TACACS+ in your environment).

Recommended Tool: ManageEngine OpManager

  • Multi-vendor Network Monitoring
  • Simple Installation & Setup
  • Intuitive UI
  • Complete Visibility
  • Intelligent Detections
  • Easy Resolutions

Avatar

Network Engineer III

I am a Senior Network Engineer who has spent the last decade elbow deep in enterprise System Administration and Networking in the local government and energy sectors. I can usually be found trying to warm up behind the storage arrays in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *