4. ISE 2 3: Device Administration (TACACS+)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
sisqó ice 2.3 device administration tax plus okay so again this is a vanilla deployment in regards to tax the ice server pretty much only has an IP address and here we're going to enable tax very first thing that we're going to do it gives a little description and now this is going to be the central policy enforcement mechanism for anything that connects to or can be anything that's connected to wired Wireless or VPN including device administration in a highly available deployment here with one of the work centers obviously focused on device administration gives you a walkthrough of the things that you need to do in order to get it configured and here's some you know typical settings that you could tweak but we're really going to jump right into it and just get it configured so the first thing we're going to do is create a couple users and groups so the first thing we'll do is create two groups one is all devices admins and then the second one would be all devices helpdesk and we're going to use that as a element to determine what access we're going to give an individual when they authenticate and then obviously authorize the commands to run so now we've got the groups created we're going to very quickly jump over and create the users and assign those users to those groups we're going to use local authentication in this case so here we'll do the all device in user first and then we'll will go through and create the helpdesk a user as well we'll give it a login password in an able password and then we'll select the group itself right give it a first name last name etc you might want to put in an email address but we're just keeping it very simple the idea here is to show you how quick you can get you know a technology like identity services engine up and running and functioning and providing value very very quickly even with things like PAC acts and what I wanted to do and what I've done in many of the videos is is that the the configuration is very focused on a specific requirement so you might want to do X whatever X looks like I not to build off of a big you know a bunch of pre configuration elements that need to be there first before you can move forward now some things need to be there like IP addressing etc but the idea is is that I want to show you from start to finish right you want to do tax this is ieast there is no pre configuration from a tax perspective how do you get it up and running and how do you get a switch for example pointed to ice and then having people being able to log in and having a command level authorization and and that's what we do so now we're going into policy element so now what we want to do is define a couple of elements like command sets the tax profiles so the first thing we're going to do from a command set perspective is create two right just like the groups and we're going to create one for the all device admin and then we'll create one for the all device help desk and in the administrative level 15 we are going to give full access so there is going to be no restriction whatsoever and then the help desk pro command set will be restricted to a set of commands that we feel that that user requires in order for them to function in the role of their in again you can be you know much more granular if you want to you could add a bunch more commands it's it's really dependent on what you want to do here what we're going to do is really there's going to be four commands that the user is going to be allowed to use and that's going to be exit enable show IP interface and chill IP route and that's it they're not gonna be able to make any changes to the system itself but they're going to be able to very quickly troubleshoot certain elements within the device that they're managing and again this offloads work from a senior level folks right and empowers junior level individuals to be able to do certain tasks without the worry that they might do something a little more disruptive by accident or maybe because they feel that they have the capability to do so right so we'll finish up here adding a couple of commands and then we'll just reorder them and then save that out once this is complete we're going to move over to the profile and the profile is going to set things like their default primitives privileged level when they log in so for example what we'll do is for the administering like you know minimum privilege level of 1 and privilege level 7 is the max I'm here I'm just reordering and what you what you saw there was if you have two elements highlighted obviously you can't move them both at the same time ok so that's done let's quickly go over to do the tack axe profile so what we've done already is we've enabled TAC axe right that's the first thing we've created a to groups and we've created two users we've created two tac-x command sets and now we're going to create two tack axe profiles and then once we're done this portion of it then we're going to move into building out the policy sets themselves and you can see we're 6 minutes in we're just finishing up in regards to what's required from a tax perspective so far on the identity services engine platform so 15 level 15 and 15 here so that's good we'll do the helpdesk element as well and here will the default privilege of one and then the as mentioned maximum privilege of seven and so that looks good so from here right now we've got all the core elements that are required will now build out the policy set and once the policy sets configured we move into the configuration of the mat network access device right making sure tax is enabled and and then we'll do some switch configuration so here we're going to dictate that anything that is a device type of Cisco that it'll hit this policy set now I change this a little later and I make note of it I use you know device type label of Cisco switch so I was ibi I'm a little more granular in the the policy set itself so let's modify the default authentication mechanism here and we're going to just point to internal users as the store that we're going to use so we got default got the rule name we could be a little more granular here as well if we wanted to we could add different additional conditions in this case I you know there's there's no need to for this example so now we have our identity authentication policy complete now we're going to move to the authorization policies and this one now is where we're going to start using some of the elements that we created so the first thing we're going to do is use The Awl divisive mend the condition here is going to be all divisive men and what we're going to do here is we're going to grab that all device it mend privileged 15 command set and the profile that's obviously assigned to the all admin group so what we can do now is we can duplicate that rule and just do some modification of it in this case it might have been easier just to start from scratch but I want to show you the duplication of it right because now I got to go in and delete some of the elements but as you get more complex policies you eat or authorization policies copying them certainly comes in handy right because there's only a subset of the data that you need to manipulate so now we assign the helpdesk element so that's good we'll save that out and now we've got all of the core elements required for tack ax but now we've got to move towards configuring the network access device to make sure that the switch itself is you able to leverage is able to leverage ice so the first thing is is we got to enter the device in in and I did our sorry yeah and enter the device into identity services engine but I've already added the device in the previous video so this one is carried over a little bit right so I already have the radius portion so really the the difference would be you give it the ice which I already did right and then you would check the pack acts and you'd be done the other piece now is is now configuring the switch itself so I here's a copy of the configuration I have applied so this is we're going to copy this and move it down I'm not going to go through each one of these commands to tell you each one and what they're doing certainly you can review it you can use the guide to have a quick look at it but this is going to give you a full working example of what we've done so far the other thing that I did not add here is we're doing command authorization and that was really the focus here I did not include the authentication portion so if you want tax which you typically would want you would also add login authentication in this column in this case default because that's the default that we're using but but you would certainly add that and that way then you're not only getting all the authorization components but also getting the login data as well is being authorized so we're just logging in right so again I've already applied that configuration that I showed you in a text file and I'm logging in just to see what what access that individual has so the first thing to note here is is that I did change that device list to include that switch parameter right so very more a little more specific and I talked about that earlier in the video but I made note there as well as you saw in red okay so let's log in here we can start seeing things from an authorization perspective start showing up and now we've logged in and we can see where privilege level 15 that's great okay so now that's good so I'm just what I'm doing is capturing logs but and so we can talk a little bit about it for a second but the first thing is that that all device admitted now the helpdesk rate so now we're going to enable 7:00 okay that worked that's good we'll do show privilege command not authorized so because that wasn't one that we entered but let's do show interface again failure she'll IP interface that one works okay and now if we do show IP route that's going to work as well so you can see they can't run any additional commands because they're not authorized and we're authorizing every single command if we look at some of the logs themselves right so here's the report on the failure it shows what failed right or why it failed and then what command was entered so there is no hiding it's all transparent it's all logged and even if the enter commands are not authorized to do we can still see what they're doing or attempting to do and maybe there's a conversation to be had anyways that's it
Info
Channel: Jason Maynard
Views: 54,240
Rating: undefined out of 5
Keywords: Cisco Security, ISE, Identity Services Engine, TACACS+, TACACS, Threat-Focused, NAC
Id: IlZwB71Szog
Channel Id: undefined
Length: 13min 49sec (829 seconds)
Published: Sun Aug 06 2017
Related Videos
Let's Install ISE
Cisco ISE - Identity Services Engine
77K
TACACS+ For IOS
Katherine McNamara
5.4K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
What is Cisco Identity Services Engine (ISE)?
LookingPoint, Inc.
30K
AMP for Endpoints Overview and Integration with ISE
Katherine McNamara
12K
F5 ISE Integration using TACACS+
F5 Trainer
2.1K
LabMinutes# SEC0205 - ISE 2.0 TACACS+ Device Admin with Shell Profile (Part 1)
Lab Minutes
16K
ISE 2.6 Policy Sets & Using Network Device Groups
Katherine McNamara
31K
Automation Using Python | SSH to Cisco Device
My IT Workshop
9.7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.