Basic TACACS on Cisco ISE
Overview
Local Managers can offload AAA (Authentication, Authorization, and Accounting) to third-party TACACS and RADIUS servers. This document describes deploying a new Local Manager and configuring it to use Cisco ISE via TACACS. The Control Center and Authorization are not covered in this document. The Cisco ISE instance in this document is freshly installed.
Install ISE
Install Local Manager
Log into the LM with the default admin account.
login as: admin
admin@192.0.2.218's password:
Lantronix LMS v6.3 39160 -- Powering Business Uptime
\------------------------------------------------------------------------------
Port Hostname Status Con Eth Uptime Processor Last
Utilization Alarm
---- ------------------ ------------------ --- --- ------- ----------- -------
1/1
1/2
1/3
1/4
1/5
1/6
1/7
1/8
MDM embedded
SYS LantronixLM OK * 38m 7s 05/03/02
\------------------------------------------------------------------------------
Con(sole) or Eth(ernet) link status indicated with '*'
Processor Utilization displayed as last collected, 1 and 5 minute averages
Last Alarm displays time since last Alarm matched.
d=day, h=hour, m=minute, s=second
[admin@LantronixLM]#Authentication
If already enabled, disable the management server so the LM operates independently.
[admin@LantronixLM]# config sys man
--- Existing Values ---
Use Management Server: auto
Hostname or IP: (searching)
Port:
Heartbeat interval (seconds): 30
Heartbeat band: all
Always use minimal heartbeat: false
Last successful heartbeat: (not yet contacted)
Change these? (y/n) [n]: y
--- Enter New Values ---
Use Management Server (y/n/auto) [auto]: n
Disable NTP also (y/n) [y]: y
Do you want to commit these changes? (y/n): y
[admin@LantronixLM]#Set timeout to 2 hours for our testing:
[admin@LantronixLM]# config sys time
Current session timeout is 5 minutes.
Change this? (y/n) [n]: y
Timeout (5 to 120 minutes) [5]: 120Create a demo user and give him the admin role on the system resource :
Note: The default Cisco ISE admin user is admin. You will not be able to use that ID for network device access using TACACS. Give the user rbuilder specific authority that will not be subject to group membership – it can be removed in the production environment later, but is helpful for testing and troubleshooting.
[admin@LantronixLM]# config user rbuilder
User rbuilder does not exist. Create (y/n): y
[config user rbuilder]# system admin
[config user rbuilder]# exitSet up basic delegation to TACACS server:
[admin@LantronixLM]# config sys auth
--- Existing Values ---
Authentication type: local
Limit maximum concurrent sessions: false
Use strong passwords: false
Expire password: false
Number of invalid attempts before lockout: 0
Change these? (y/n) [n]: y
--- Enter New Values ---
Authentication type [local]: TACACS
Authentication method [pap]:
Accounting type [none]:
Use RADIUS/TACACS Authorization (y/n) [n]: y
Create users (y/n) [n]: y
Cache passwords (y/n) [n]: y
If server is down, should the system use local authentication (y/n) [n]: y
First authentication host IP: 192.0.2.251
First authentication port [0]: 49
First authentication shared secret: ********
Confirm shared secret: ********
Second authentication host IP:
Limit maximum concurrent sessions (y/n) [n]:
Use strong passwords (y/n) [n]:
Expire password (y/n) [n]:
Number of invalid attempts before lockout [0]:
Do you want to commit these changes? (y/n): y(optional) Log into the ISE Server over SSH to review the configuration:
login as: admin
admin@192.0.2.251's password:
Last login: Never
Failed to log in 0 time(s)
ISE-Lantronix-DOC/admin# show run
Generating configuration...
!
hostname ISE-Lantronix-DOC
!
ip domain-name corp.Lantronix.com
!
ipv6 enable
!
interface GigabitEthernet 0
ip address 192.0.2.251 255.255.255.192
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 192.0.2.254
!
!
clock timezone UTC
!
ntp server time.nist.gov
!
username admin password hash $6$advTRpeFtyY.dg6S$0F3H3Wuiu/Ea1U7g2ABG7NMirAxMolm6XZxo6Z1NO/EmpxX9XF0y2gt3cDL3xwxCOO1BKB/vbHhdINXYrj7BK0 role admin
!
!
service sshd enable
service sshd encryption-algorithm aes128-gcm@openssh.com chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-ctr aes256-ctr
!
!
logging loglevel 6
!
!
icmp echo on
ISE-Lantronix-DOC/admin#Log into ISSE Via Browser HTTPS://192.0.2.251
Navigate to the Menu 
in the upper left corner and choose Administration/Network Resources/Network Device Profiles.
Click Add to create a new Device Profile for Lantronix. This example will focus on TACACS.
Note: You can download a small PNG for Lantronix from a deployed Lantronix Control Center at the following URL:
https://Lantronix-control-center.[subdomain]/images/logoStateBlack26.png
Complete the following fields and click “Submit”
Next click on Default Device and create a default entry for our example Local Manager enabling TACACS and adding a shared secret before pressing Submit.
Next enable TACACS Device Admin Services – Navigate to Menu/Administration/System/Deployment Note: You will likely need to confirm that TACACS is not secure by itself.
Navigate to Work Centers/Device Administration/Device Admin Policy Sets
Click the Greater Than symbol at the right of the Default Policy Set and expose the Default TACACS policy set.
Click on the Authorization Policy and change the “Shell Profile” from Deny ALL to Default shell profile. This is only for the first step/testing and can be later disabled:
Now navigate to Identity Management, Identities and add the local user following these fields. We will add the user to the Employees group for now but are not yet using it.
The basics for TACACS Authentication are now configured. Test the configuration with your favorite SSH client using the username/password in the example:
Note: the default admin credential will now fail to authenticate because all authentication is delegated to the ISE server (which by default uses the “admin” account). Also, notice that the rbuilder id was only given system authority with the “guest” role so it can display limited system elements.
Authorization
Authorization delegated to TACACS/RADIUS is accomplished by Lantronix GROUP membership. The config sys authentication command executed in the previous section chose to “
The Groups must already exist on the LM and be configured with a ROLE mapped to a RESOURCE.
Delegated AUTHORIZATION occurs via group membership. Create groups that, when returned from ISE with each user authentication, current privileges will be applied.
For our example, we will use the default ADMIN role for the device ports.
WAN will be devices on ports 1 & 2.
LAN will be devices on ports 3 & 4
We will include system guest as well in WAN & LAN and system admin for the UPXMGMT group.
UPXMGMT will be Lantronix Configuration Management on the system resource
[admin@LantronixLM]# config group WAN
Group LAN does not exist. Create (y/n): y
[config group WAN]# system guest
[config group WAN]# port 1/1 admin
[config group WAN]# port 1/2 admin
[config group WAN]# exit
[admin@LantronixLM]# config group LAN
Group LAN does not exist. Create (y/n): y
[config group LAN]# system guest
[config group LAN]# port 1/3 admin
[config group LAN]# port 1/4 admin
[config group LAN]# exit
[admin@LantronixLM]# config group UPXMGMT
Group UPXMGMT does not exist. Create (y/n): y
[config group UPXMGMT]# system admin
[config group UPXMGMT]# modem admin
[config group UPXMGMT]# exitThe TACACS A/V pair “acl” returns group membership fields. The ACL is a comma-separated list of groups that when returned in a TACACS response removes that user from all groups and then adds the user into the returned groups.
Navigate to Menu/Administration/Identity Management/Groups/User Identity Groups and add groups WAN, LAN, and UPXMGMT.
We then add our local user “rbuilder” to the “LAN” Local Identity Group.
Next we need to create a TACACS policy element for each group. Navigate to Menu/Work Centers/Device Administration/Policy Elements and choose Library Conditions. In the Editor click to add an attribute for Identity Group.
Create all three “Policy Elements”
Click Save and name each one.
After you have entered the three groups in the editor and saved them you should see them in the Library:
Create a TACACS profile for each group. Add the group name in the ACL entry. This name will match the Lantronix Group on the Local Manager.
Next navigate back to Menu/Work Centers/Device Administration/Device Admin Policy Sets. Click on the Greater Than symbol to the right of the TACACS Default Policy Set
Click on Authorization Policy
Click the Plus icon next to Status to add a rule. The rules are “First Match” so stack-rank the order with the highest on the list at the top:
Click on Conditions and choose the Identity Group for each condition.
You can build multiple groups into the conditions – even including Local Identity groups that have no correlated Lantronix group membership:
Here is a complete list of Device Policy Admin Set permutations of our examples:
Now when the user logs into the Local Manager, the WAN ACL in the TACACS response removes the user from any other group and adds the user into ONLY the groups returned.
[rbuilder@LantronixLM]# sh group WAN
WAN
created 11/03/2021 16:37:11 UTC
user rbuilder
system - guest
port1/1 - admin
port1/2 - admin
[rbuilder@LantronixLM]# sh dash
\-----------------------------------------------------------------------------
Port Hostname Status Con Eth Uptime Processor Last
Utilization Alarm
---- ------------------ ------------------ --- --- ------- ----------- ------
1/1
1/2
SYS LantronixLM OK * 1d 29m 01/01/02
\-----------------------------------------------------------------------------
Con(sole) or Eth(ernet) link status indicated with '*'
Processor Utilization displayed as last collected, 1 and 5 minute averages
Last Alarm displays time since last Alarm matched.
d=day, h=hour, m=minute, s=secondWe can then add the user to another group,ie “Lan”, and the response will return both ACLs when he logs in.
login as: rbuilder
rbuilder@192.0.2.218's password:
Lantronix LMS v6.3 39160 -- Powering Business Uptime
\----------------------------------------------------------------------------
Port Hostname Status Con Eth Uptime Processor Last
Utilization Alarm
---- ------------------ ------------------ --- --- ------- ----------- ------
1/1 OK
1/2
1/3
1/4
SYS LantronixLM OK * 1d 2h 02/02/02
\-----------------------------------------------------------------------------
Con(sole) or Eth(ernet) link status indicated with '*'
Processor Utilization displayed as last collected, 1 and 5 minute averages
Last Alarm displays time since last Alarm matched.
d=day, h=hour, m=minute, s=second
[rbuilder@LantronixLM]#This concludes Basic TACACS on Cisco ISE for Lantronix Local Managers.