LabMinutes# SEC0205 - ISE 2.0 TACACS+ Device Admin with Shell Profile (Part 1)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to that miss calm in a lab video series on Cisco eyes 2.0 you can find completely' suffice video on a website by clicking the link above and sign up for our newsletters to receive the latest video updates in this video we are going to configure tac-x on Cisco I studio we will go over different components and policies to get the basic tac-x authentication going with show authorization to compare the similarities and differences to ACS 5x we are going to use the same scenario that we did back in the ACS 5 videos SEC 0 0 86 ACS 5.4 tac-x device admin on switch and a sa in fact we are going to assume that you have some familiarity with a cs5 as we will keep referring back to ACS throughout this video and the next to help out folks that will be migrating from ACS for a lab setup we have our cisco eyes 2.0 on VLAN 32 with this IP e1 32 16 32 dot 102 the same VLAN we have a Windows 2012 domain controller certificate authority server the IP of dot 40 the network devices that we going to be using for our device admin testing here is switch switch 1 which is a 38 50 switch that's acting as a default gateway for VLAN 32 and directly connected to that also is an AAS a firewall that's the IP of once in 82 16 10 - and for the switch we're just going to use a loopback one say - 16 0 10 alright so those are the two devices we'll be using for our access scenarios we have 4 different user here sometimes they are being created for the 80s and some will be created ourselves in this lab or the local user just for the 80 users we have admin 1 this part of the ad group network admin which will give a shell privilege of 15 then we have another 80 user support one this is part of 80 group network support and we will trying to deny show access from those user with the same level of access I guess the counterpart of at mid one is local 1 which is a local account that will create they'll be part of a local user group of local admin and getting privileged 15 and then local 2 which is part of local support local group will be denied access to shell so let's jump on to our remote desktops we have opened here which is a domain controller and here we have the ice web interface open but before we dive into the configuration on ice since we have two users that resides on 80 let me show you those two users which is at mid one and support one here under the lab minute so you admin one is a member of network admin and support one is a member of network support alright so the first you need to make sure here since we are leveraging ad as our user database is the connection between ice and AD and that's under external identity store or sources rather and here under Active Directory scope lab minutes that we are I've already created with the domain lab minutes com Active Directory domain currently our status is operational so we should be ready to go so while we're here we're just going to go ahead and add our ad user group we already have some from no base configuration but not the two groups that we need which is admin our network admin and network support so let's click Add and select from directory and we're going to search for a word network since both of the groups contain the string network in there and there you go we got Network admin and network support right later on use that as part of our authorization condition and one of the things you want to make sure that you have acquired prior to configuring the tax is the license the box has to be properly licensed with the device admin if you go under the system and licensing you see that there is a requirement as far as license for a devise admin and unless you have properly installed the license or running the email like we were doing here you may not actually be seeing the device administration menu right here in the work centers all right so this column right here basically be blank and you would not be able to configure anything that's related to the device admin all right so here we have a device admin license enable and it's one-time license if you're upgrading from the previous one next version then you need to make sure that you purchase those license from your reseller and install it here I like ACS there is offsets also has a large license if you exceed 500 devices on ice that's just a single license that you need and it will support sm8 devices as you need right once you have the license install you also need to make sure that you have device admin service and able on your policy service note so let's go under the system deployment pick your policy service node and there's a checkbox here for an abling device admin service and click Save all right what we going to do next is to configure a dandy source sequence since our user database is going to be both on ad as well as the local we just want to limit identity source to be just those two types and we're going to do that through the identity source sequences and I believe we have one already for ad and local only we have one for 80 and we have one that has cert 80 local and guess so we got to create a new one call LM ad local description say check ad then loco database okay then down here we add guess there's the different choices that you can pick where there's at the domain level all join point or scope level you're just going to do the scope level in terms of the ad and internal user click Submit alright so now that we have configured the user database or without any source sequences we can't go through the workcenter for device admin workflow starting off with the overview you might want to spend a little bit of time kind of read through this just to understand what you need to configure it or you can also just follow along the menu does show on top here from left to right I believe that work as well and that's what we're going to do starting off with the identity menu where we need to create a local user in this case we have two local user local one and two if you do not plan to use into the local user database you can just go ahead and skip that since we do we're going to create a local user one with that locking password usually I do all Cisco but here I want to test change the password on next lock in so I'm going to make it Cisco one two three by four enable I'm just going to do regular Cisco right just to do a quick test to force user to change password at next in let's check that checkbox and currently we don't have any user group created so we're going to leave it blank will create one more for a local to here just going to do password Cisco all the way through okay submit next menu over is user identity group and here we can create a dandy group for our user make sure you pick the user and not the endpoint we'll click add a first local group is called local admin click description if you like just say group local admin submit click back in and then we want to add local one user to that add user pick local one and then it's automatically added and save the next local group is local support group logo support click back in and then we'll add local to this time ok guess we should go back and always double check and make sure it successfully added which it did alright so now we're done with that menu moving on to network resources with Network Devices here we're dealing with switch 1 and firewall 1 and both of those devices have already been added to ice but only for radius so now we're going to get under LM switch 1 and now we need to do is to add tac-x secret key we'll keep it simple cisco show cisco and if you want to enable single connection mode you can do so right here you're just going to skip and go back and do the same for firewall 1 let's go make sure it looks correct and save alright if you have a lot of devices that you can use the import/export function to make both changes and then my helps you out especially if you're ready have a large deployment of 802 dot 1x with the radius and all you need to do is just updating the tak accession so you can do that I believe will come out as CSV format and you should be able to just add a column if not there already for tak X alright the default device is for any devices that do not match your network device list and before there was only xxx section and now we have a tak X section ok so if you want to use that then make sure you enable that feature now for tactical external servers & Technik service sequences those are for if you want is to access a tactics proxy where a tactics requests are received and forwarded to another external tactics server this is very similar to what acs is capable off if you're currently using that proxy function then you would need to configure their session accordingly right we're not going to do that here so I'm going to skip you now for network device groups if your devices are not in the group already you can do it right here I think for the device types they already are so we have a switch we can firewall and wise line controller created let's go ahead and create a new location so click on location and maybe just call it HQ headquarter click on that and here we can add all the foul network devices to it right completely optional but just not sure you can do it right here as part of the configuration flow next is the policy condition if you want to create like a library of conditions that you want to reuse at multiple locations of the policies this is very similar to what you can do with radius then you can create them actually it's I believe it's sharing the same library table as the radius so whatever you created here it will basically show up if you were to do the configure the radius as well so make sure you name them properly so you can tell them apart right try not to mix them up if you can so there's a section for authentication and also section for authorizations and I would say this is completely optional okay so we're not going to do that and skip ahead to the policy results so if policy results here is only listed for what's related tac-x this is different from if you were to go under the policy menu and then policy element result because that's for radius so you know what to the access this sub main uses is the only place you can come in and access it there's one for commands that and one for show profile we're going to skip the command authorization for now so we're going to leave that unconfigured and skip ahead to tactics profile and the only profile we really need to create right now is the one that allows privilege 15 by default there's one called the fall show profile and if you look under there I don't think there's anything configure it's just an empty profile so you can see here so by returning this just basically returning the authorization success without any type of attributes being returned okay so now we are going to create our own click Add we're going to call this one proof 15 for purse 15 and we also want to do max 15 here as under the task attribute views there is a common task which is are the common attributes that most people use when configuring tax things like default privilege which will select for let's select 15 here so it goes between 0 and 15 the max privilege do the same so the user would not be able to exceed that but here we're selecting 15 and then there are things like ACL auto command time L idle time which I think pretty much looks very similar to what you might have had on the ACS and then at the bottom if you want to push down a custom attribute that's not listed here and in the common test and you can do so by adding it but you need to know the exact attribute names and the values right so a good example is when you configure tac-x with wise line controller and I believe that's being governed by a row attribute so you need to know the correct formats and string of the values to send to the device right and then the next tab over is the raw value so whatever you configure this page you can view it as a raw value attribute and that's what I is going to be returning to the network devices right so here we have our proof level 15 and max proof level 15 then click Submit so we'll see so far with the show profile it looks very similar to what we used to have with ACS now that we have that configured we can move along to the policy set all right just a quick note here this policy set is dedicated to device admin only and completely separate from the radius policy set right as you go to the policy set for radius you see that currently we have quite a number of policy set configured already and then of those shows up when you go under the admin device or device admin policy set right so by default there is one default policy set that you can use if you don't plan to build like a complex hierarchy of authorization policy then you can just go ahead and use the default policy set otherwise you can create your own policy set which you would do here just to demonstrate that so click this Add icon and then create policy set then you can change the name we'll just call it LM device add mint condition are those not really necessary in our case since we're just going to use a single policy set for everything and I'd like ACS where the service policy are being shared between the radius and tac-x so for divides that mean you should have to specify the protocol to be tac-x you don't really have to do it here because the system kind of sort the radius and tactics request for you automatically and drop them into the correct policy set you're just going to show you that we are going to match by protocol tac-x although completely unnecessary but you do have other options if you would like to match things like the actual attack excetra buttes itself that's the ice received from the network device okay or the device type or device group then you have this little section in the top that's related to the tactics proxy function if you want to just have the eyes relaying the tactics requests then you will select the corresponding proxy server sequence right here then you get under the authentication policy there's one default rule that is using the allow protocol default device admin and it guess we can go under there yes there should be under the result just to see what's defined a default devised admin and there should be under result allowed protocol right here default devised admin and by default it is allowing PAP chap and MS Chaffee 1 ok so that should be good enough for what we're doing and then for the user database right now it's selecting all user ID but we know that we only want to use ad and local so we select the sequence that we created earlier LM ad local right now we get to the authorization policy section we are going to create two policies here one for a network admin then one for local admin and assign them privilege level 15 while we're going to let the other two user groups kind of fall all the way down to the default deny rule right here so insert group above call this one network admin condition is based on ad group membership okay external group and we need to network admin right there we're not going to consigning command set right now but select show profile of proof 15 max 15 all right then we need to create another one for the local admin so we're going to duplicate below local admin we're not going to use the ad group so delete it but instead select the local user group user aid ad group local admin and then same proof 15 max 50 right then you have the default authorization rule just to make a quick note here is that show profile is be left blank by default and you can see you're trying to click on it if this were an ACS you would have been able to select deny access option but that option doesn't seems to be available on eyes currently all right so the best you can do right now is to leave it blank because it doesn't make sense for you to pick default shell profile or proof 15 max 15 right because both of those will return authorization success per se so we leave it out for now and leave the command set to deny all commands as well click Submit and we're going to skip the report section for now because that would be after the fact that we've gone through the authentication testing and the last option here is settings some of the things you can change here is the timeout values maximum packet size or the username password prompts if you want to change to something rather than the regular username password where there do not to support the single connect a password change control if you want to allow user to be able to change password and session key assignment so we're not going to change anything here we'll leave it at default all right for the most part again looks very similar to what you can do on ACS so now that we have the basic configuration in place we can go ahead and continue with the triple-a configuration on network devices
Info
Channel: Lab Minutes
Views: 16,354
Rating: undefined out of 5
Keywords: ise, ise 2.0, tacacs+, aaa, switch, asa
Id: 5fM0bzwldvY
Channel Id: undefined
Length: 21min 38sec (1298 seconds)
Published: Mon Mar 14 2016
Related Videos
4. ISE 2 3: Device Administration (TACACS+)
Jason Maynard
54K
F5 ISE Integration using TACACS+
F5 Trainer
2.1K
Cisco ISE: Guest Access (Lab)
BitsPlease
1.9K
ISE 2.1: How to Install Wildcard Certificates
Cisco ISE - Identity Services Engine
19K
LabMinutes# SEC0033 - Cisco ISE 1.1 Active Directory (AD) Integration and Identity Source Sequence
Lab Minutes
29K
ISE Configuration for VPN
Katherine McNamara
9.7K
Central Web Authentication with WLC, ISE, FlexConnect Local Switching
Cisco Community
57K
Cisco ISE Implementation (Authentication and Authorization) - 3
Ayo Kush
4.8K
Fundamental of IT - Complete Course || IT course for Beginners
Geek's Lesson
2.1M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
TACACS+ Configuration for ASA
Katherine McNamara
6.9K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.