Cisco ISE: Device Administration with AD Credentials using TACACS+

Cisco ISE: Device Administration with AD Credentials using TACACS+

 

This tutorial shows you how to configure ISE to support device administration of a Wireless LAN Controller with AD Credentials using TACACS+. It assumes you have an AD group called NetAdmin and your user is in that group.  Some items may vary if the device is a Switch or FW, instead of a WLC.

 

Enable Device Administration on Policy Service Nodes

Work Centers > Device Administration > Overview > Deployment

Select the appropriate Policy Service Nodes and Click Save

 

Join ISE to Active Directory

Work Centers > Device Administration > Ext Id Sources > Active Directory

Click Add

Enter a Join Point Name (for instance wifiworkshop-AD)

Enter the Domain name

Click Submit

Highlight the node (or nodes in a distributed environment) and Click Join

Enter the username and password of a user with rights to join a computer to the domain

 

Add NetAdmin group to the newly created Join Point

Work Centers > Device Administration > Ext Id Sources > Active Directory

Click the newly created Join Point (wifiworkshop-AD)

Click Groups

Click Add > Select Groups from Directory

Search for NetAdmin, highlight it, and click OK

 

Create a Network Device Group

This is vital to differentiating different types of devices (WLC, Switch, FW, etc) to apply different Command Sets to those devices.

Work Centers > Devices Administration > Network Resources > Network Device Groups

Click Add

Enter a name (for instance Wireless LAN Controllers)

Set the Parent Group (for instance All Device Types)

 

Create a Network Device Type

Work Centers > Devices Administration > Network Resources > Network Devices

Click Add

Enter a Name

Enter an IP Address

Set the Device Type to the new Device Group you just created

Check TACACS Authentication Settings

Enter the Shared Secret

(You’ll probably be using RADIUS to authenticate wireless clients, so now would be a good time to configure that as well.)

Check RADIUS Authentication Settings

Enter the Shared Secret

Click Submit

 

*Note* If you were creating a rule for a device that used privilege levels, you would want to create a Command Set.  Command Sets are located at:

Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets

 

We don’t need a Command Set for WLCs.

 

Verify the WLC All Profile

Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles

Verify WLC All is present

If not present, add it and assign Common Task Type to WLC and select All.

 

Create WLC Device Admin Policy

Work Centers > Device Administration > Device Admin Policy Sets

Highlight Default and Click the plus sign > Create Above

Enter a Name (for instance WLC)

Set Conditions to Device: Device Type EQUALS All Device Types#Wireless LAN Controllers (or whatever you named your device group earlier)

 

Create the WLC Authentication Policy

Work Centers > Device Administration > Device Admin Policy Sets > WLC

Set the Default Rule to use wifiworkshop-AD (replace wifiworkshop-AD with your AD Join Point name)

 

Create the WLC Authorization Policy

Work Centers > Device Administration > Device Admin Policy Sets > WLC

Under Authentication Policy, click the drop down arrow and Insert new row above

Enter a name

Set the Condition to: wifiworkshop-AD:ExternalGroups EQUALS NetAdmin

(replace wifiworkshop-AD with your AD Join Point and NetAdmin with your Group)

Leave the Command Set blank

Set the Shell Profile to WLC All

(I typically set TACACS_Default to Deny All Shell Profile)

 

 

 

Configure the WLC with TACACS+ Servers

Security > AAA > TACACS+

Click Authentication

Click New

Enter Server IP Address and Shared Secret

Click Apply

 

Click Authorization

Click New

Enter Server IP Address and Shared Secret

Click Apply

 

Click Accounting

Click New

Enter Server IP Address and Shared Secret

Click Apply

 

Configure the WLC Priority Order

Security > Priority Order > Management User

Highlight RADIUS and move to the Not Used section

Highlight TACACS+ and move to the Order Used for Authentication