How to Configure TACACS+ on Ubiquiti EdgeSwitch with ISE 2.4

Having recently deployed Cisco ISE 2.4 as my TACACS+ server, I wondered if I could use TACACS+ with my Ubiquiti EdgeSwitch equipment.

The great news it that it’s both possible, and easy!

Almost all the configuration to get TACACS+ working is within the endpoint, except for one small “gotcha” that I’ll explain below.

If you haven’t read my other Cisco ISE 2.4 and TACACS+ guides I highly recommend checking them out as well. You can find the first of the series linked directly below:

Relate: How to Install Cisco ISE Eval 2.4 Appliance on vSphere 6.5

 

Ubiquiti TACACS+ Prerequisites

My first recommendation is to run the latest firmware. I’ll explain…

TACACS+, and AAA in general, are features that have been continually improved in new firmware releases.

Also, certain firmware versions have bugs regarding TACACS+. Version 1.0.1, for instance, has a bug that prevents typing in special characters in the shared secret in the GUI (and SNMP community strings).

As of this writing I have upgraded to version 1.7.3 (which is a direct upgrade from 1.0.1). I didn’t take it all the way to 1.7.4 because there were a lot of bugs being reported on the forums and I just didn’t want to mess with it.

If you’re running at least 1.7.3 on your EdgeSwitch then this guide should work for you!

 

How to Configure Cisco ISE 2.4 to Work with a Ubiquiti Endpoint

Remember that small “gotcha” I mentioned earlier? Here it is…

We need to create a custom shell profile (or update the one that you’re using) to include a Maximum Privilege of 15 in order to use TACACS+ to enter Privilege Exec Mode (otherwise known as Enable mode) on a Ubiquiti EdgeSwitch. If you don’t you’ll get the following error in your TACACS Live Log:

Shell Profile Privilege Level not configured correctly

The steps to fix this are simple:

  1. Log into your ISE web console and navigate to Work Centers -> Device Administration -> Policy Elements, expand Results, and click on TACACS Profiles
  1. In my case, I was using the Default Shell Profile in my Policy Set so I created a duplicate of the Default Shell Profile and named it Custom Shell Profile. If you’re already using a custom shell profile then choose your profile and click Edit.
  1. Check the box next to Maximum Privilege and then choose 15 from the dropdown box. Click Save.
  1. Navigate to Work Centers -> Device Administration -> Device Admin Policy Sets and expand your Policy Set by clicking the right carrot (or arrow). In my case, since this is a lab, I used the Default policy set.
  1. Expand Authorization Policy by clicking the right carrot (or arrow) and update each rule to include your Custom Shell Profile (if you created one rather than updating the one you were already using). Click Save.

At this point ISE now knows how to respond to the privilege exec mode authentication command sent from a Ubiquiti EdgeSwitch device. Now we just need to add our EdgeSwitch to the Network Resources and we’re finished with the ISE part of things.

  1. Navigate to Work Centers -> Device Administration -> Network Resources -> Network Devices and click Add.
  1. Fill in the Name and IP.

 

  1. Check the box next to TACACS and enter the shared secret you wish to use with that device.
  1. Click submit.

As a side note, you don’t have to mess with the Device Profile for this purpose. If you want, you can create a new device profile and name it Ubiquiti and just leave everything at its’ defaults. That way you’ve already classified the network resource should you use ISE in other ways.

At this point were finished with the Cisco ISE side of things. Now we need to configure our Ubiquiti EdgeSwitch to use TACACS+.

 

How to Configure TACACS+ on Ubiquiti EdgeSwitch

The easies way to configure your EdgeSwitch is to use the command line. The AAA and TACACS+ commands are very similar to the Cisco IOS command so they’re pretty easy to understand. Here are the configure commands I ran to get TACACS+ working:

tacacs-server host “10.2.0.3”
timeout 5
key “mysharedsecret”
!
aaa authentication login “TACACS” tacacs local
aaa authentication enable “TACACS” tacacs enable none
aaa accounting exec “TACACS” start-stop tacacs
aaa accounting commands “TACACS” start-stop tacacs
aaa authorization commands “TACACS” tacacs
aaa authorization exec “TACACS” tacacs
!
line console
login authentication networkList
enable authentication enableNetList
no transport input telnet
exit
!
line telnet
login authentication TACACS
enable authentication TACACS
accounting exec TACACS
accounting commands TACACS
authorization commands TACACS
authorization exec TACACS
exit
!
line ssh
login authentication TACACS
enable authentication TACACS
accounting exec TACACS
accounting commands TACACS
authorization commands TACACS
authorization exec TACACS
exit

I should mention that this configuration is intended to allow only local credentials at the console and then TACACS+ creds (domain credentials) during an SSH or Telnet session (I have Telnet disabled so those settings are kind of moot).

I also want to mention that I was unable to figure out a way to get the EdgeSwitch to use TACACS auth for the https web console. It appears Ubiquiti has not allowed that as of 1.7.3. I’ll do more investigation and update this article if I find out more information.

If you’re more of a GUI type person, you also accomplish setting up TACACS in the web interface (though you can’t use the TACACS creds to log into the web interface as mentioned above). To do that use the following steps:

  1. Log into the web interface of your Ubiquiti device (https//deviceip) and navigate to Security -> TACACS+ -> Server Summary.
  2. Click Add and enter your ISE 2.4 TACACS+ server IP and Shared Secret (Key String). Click Submit.
  1. Navigate to System -> AAA -> Authentication List, click Add, check Login, enter TACACS (or your preferred list name) and move TACACS from the Available Methods to the Selected Methods. I recommend moving Local as well so you have fallback credentials. Click Submit.
  1. Repeat the above step but choose the Enable radio button next to Access Type and Move TACACS, Enable, and None from Available Methods to Selected Methods (this allows the use of TACACS creds or the Enable password to enter enable mode. Click Submit.
  1. Navigate to System -> AAA -> Authentication Selection and set your new TACACS authentication lists for both Telnet and SSH (and console if you want to but I prefer to leave that local creds). Click Submit.

 

  1. If you wish to use command authorization, navigate to System -> AAA -> Authorization List and click Add. Select Commands, Enter TACACS (or your preferred name) in the list name box, and move TACACS over to the Selected Methods.
  1. Repeat step 6 but choose Exec in the Authorization Type box.
  2. Navigate to System -> AAA -> Authorization Selection and set the TACACS authorization lists you created for Telnet and SSH (can console if you prefer, I didn’t). Click Submit.
  1. Perform similar steps as above for the Accounting List and Accounting Selection if you wish to use TACACS Accounting.

 

At this point you should be able to SSH into your EdgeSwitch and login using your TACACS+ credentials. You should also be able to enter enable mode using your TACACS+ password. Command auth should be working as well, which you can test by removing yourself from the group that controls running anything other than show commands (if you followed my previous guide) and trying to enter a show run. It should fail.

I also recommend checking the TACACS logs on your ISE server and verifying everything looks good there as well when you SSH into your device using your TACACS credentials.

If everything checks out, save your configuration. You’re all done as far a basic set goes!

Recommended for You: Solarwinds Network Performance Monitor (NPM)

Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?

Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.

Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.

Leave a Reply

Your email address will not be published. Required fields are marked *