Tacacs+ Ise

Posted onby

Re: Aruba wireless controller TACACS to Cisco ISE for admin authentication ‎ 01:48 AM I don't have access to ISE, but the workflow should be similar to what you should do with ClearPass to setup a TACACS+ service. ISE: Version 2.4.0.357 Installed Patches 9,10 Product Identifier (PID) SNS-3595-K9 Version Identifier (VID) A0 Serial Number (SN) FCH2209V02N ADE-OS Version 3.0.4.070 Switch: tacacs-server host 10.52.60.50 key 7 "XXX" timeout 4 tacacs-server host 10.52.188.50 key 7 "XXX" timeout 4 aaa group server.

downloadWhy can't I download this file?

Objective

This article describes how to configure ADC appliance to work with TACACS+ servers for Authorization, Authorization and Accounting.

Instructions

To configure external authentication using TACACS+, complete the following procedures: For TACACS+ server configuration, please refer to your vendor documentation.

TACACS+ server is configured to authenticate users and authorize commands. Citrix ADC must be configured to send the authentication and authorization requests.

  1. Go to System > Authentication > Basic Policies > TACACS and add a server.

  2. Specify the IP address of the TACACS+ server and the appropriate TACACS key as defined in the network configuration of the server.

  3. Use the following command to configure the TACACS authentication server from the command line (in this example TAC is the server name).
    > add authentication tacacsAction tacacs -serverIP 1.1.1.1 -serverPort 49 -authTimeout 3 -tacacsSecret '********' -authorization ON -accounting OFF -auditFailedCmds OFF

  4. Create the TACACS policy and set the expression to ns_true.

  5. Issue the following command to configure this from the command line (in this example, TAC_Pol is the name of the policy).
    > add authentication tacacsPolicy centos_pol -rule ns_true -reqAction centos

  6. To bind the policy globally, select the Active check-box next to the policy.


  7. Issue the following command:
    >bind system global centos_pol -priority 101​​​​​​

Additional Resources

Commands available in ADC:
add batch config dump flush import link query renumber save show stat traceroute6 unlock whoami
alias bind convert enable force init lock quit reset scp shutdown stop unalias unset
apply check create exit grep install man reboot restart send sign switch unbind unsign
archive clear diff expire help join ping release restore set source sync uninstall update
backup cls disable export history kill ping6 rename rm shell start traceroute unlink vtysh
Arguments can be found in Citrix ADC command Reference: https://developer-docs.citrix.com/projects/citrix-adc-command-reference/en/latest/
The following is the sample output from the /tmp/aaad.debug file.

Tacacs Ise Port

  • The user is first authenticated:

  • Each command is authorized by TACACS:

  • The authentication is passed from Wireshark:

  • The authorization request and response for commands:

    Note: The user is first authenticated by the TACACS+ server. Each command is authorized prior to execution. Because each command is authorized by the TACACS+ server, no group extraction exists.

Disclaimer

Tacacs Ise License

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.