Managing device through without AAA can become a challenge for access control, change management, Audit and role based device access capability for IT teams. Cisco ISE provides TACACS+ capability for device management. Since Prime is central point of monitoring and management for entire network infrastructure it becomes even more important to deploy TACACS+ based login/control for Cisco Prime.
Its always a good idea to have local authentication as fall back for TACACS+ authentication, in case ISE become unreachable. So make sure “Enable fallback to Local” is checked so that you can fallback to local credentials if ISE is non responsive for any reason.
Next Add ISE as TACACS+ sever on Prime, and fill out the necessary information required, the supported authentication types are PAP and CHAP. PAP being the default option.
Prime has a list of tasks which can be mapped to the authorization profile of an authenticated user. For instance compare Superadmin Vs Root then Superadmin do not have some of the privileges like System Monitoring Dashboard, Device Bulk Import Access, Swim Access Privilege. You can also use custom tasks and create a unique role. Audit trail show the list of activities for specific role
Before we proceed further its important to understand the concept of virtual domains, for large prime deployment it is often required for a set of admins to manage a selective set of devices on Prime, specially when you can use prime to managed all wired, wireless, ISE, ASA infrastructure.
A virtual domain is a logical grouping of sites, devices and access points. You choose which of these elements are included in a virtual domain, and which Prime Infrastructure users have access to that virtual domain. Users with access to a virtual domain can configure devices, view alarms, and generate reports for the parts of the network included in the virtual domain. Users without access to a specific virtual domain cannot. Users with access to a virtual domain benefit because they can see just the devices and information they care about.
An example shows a new virtual domain called “TEST”, once the virtual domain is created we can go ahead and add sites, networks, devices etc and associate the virtual domain to a role and assign the role as part of authorization profile mapped to AD groups.
Virtual domains are not included as part of tasklist but once configured they can be added to ISE authorization policy as part of TACACS profile. For exact task ID information click “here”
For ease of deployment I will be using ROOT-DOMAIN (access to all devices in all domains).
Let’s configure ISE and ISE policy now, starting with TACACS+ profile, in my case I am want to assign users superadmin role with ROOT-DOMAIN access with privileged 15.
Now lets add Prime as one of the network access devices. Ensure the shared secret on ISE is same as Prime while adding TACACS server by going on ISE to :
Lets configure the actual policy on ISE now.
Device type Prime has only 1 device added which is Cisco Prime infrastructure, the TACACS policy set matches when the TACACS request is coming from Prime.
ISE will look at identity source sequence ad_internal for authenticating user, this identity source sequence refers to the AD as primary and internal user database as secondary as source of user authentication.
If the user is accessing Prime infrastructure and is part of the NetworkAdmin AD group, then ISE will force an authorization profile name “Prime Access”, the role associated with this permission is discussed above.
Testing with a user belonging to that group, shows authentication and authorization with right authorization result. User information is hidden for security purposes.
I hope you Enjoyed reading it as much as I enjoyed writing.