Hello.

In this video, we will explore two TACACS+ features available to us through

ISE. The first feature will be login authentication and enable authorization
differentiation, allowing the use of different identity stores for login and
entering into privilege mode. The second feature that we'll explore is CLI password
change, which allows inline password changes by the network administrator.
We'll start off with login authentication and authorization differentiation. So
I'll navigate to Work Centers, then Device Admin, and then Device Admin Policy
Sets. Right in the list of policies, I'll modify the Allowed Protocols/Server
Sequence setting for the IOS_Devices policy set. I'll click on the box to change
the settings from default network access to now be default device admin.
I also want to modify policies inside the IOS_Devices policy set. So I'll click on
the right arrow at the end of that policy line to enter into it. However, I'm
reminded that because I've already made a change, I need to save the change first.
So I'll click on Save.
Once the save is successful, I can now click on the right arrow to enter into the
policy set. Once I'm in the policy set, I'll click on authentication policy to
modify that policy. I want to add a new rule above the default rule. So I'll click
on the gear icon next to the default rule, and then select Insert New Row Above.
I'll set this new rule to have a name of Enable_Password. Then I'll click on the
plus sign to go to the Condition Studio to create a condition for this rule.
I'll click to add an attribute. Then I'll dropdown the list of dictionaries, and
select TACACS. I'll scroll down the list of TACACS attributes and click on Service.
I'll leave the operator as equals, and then click in the box on the right to select
enable. So now the condition is that the TACACS service attribute equals enable.
I'll click Use to use this condition in my new rule. I'll leave the Use option at
internal users.
Now when this rule takes effect, ISE will use its internal user database to
validate enable passwords. I'll add another rule by clicking on the gear icon for
the Enable_Password rule, and then click on Insert New Row Above again. I'll set
this new rule to have the name of Login_Password. Then I'll click on the plus sign
to go to the Condition Studio again to create a condition for this rule.
I'll click to add an attribute. Then I'll dropdown the list of dictionaries and
select TACACS again. I'll scroll down the list of TACACS attributes and click on
Service. I'll leave the operator as equals, and then click in the box on the right.
But now I'll select login.
So now the condition for this rule is that the TACACS service attribute equals
login. I'll click Use to use this condition in my new rule. For this rule, I'll
change the use option to be demo.local. Now when this rule takes effect, ISE will
use the demo.local AD to validate login passwords.
Once I've created these two new rules-- one for login and one for enable-- I'll
scroll down and click on Save. I should see a message indicating that both new
rules were saved successfully.
Now that I've set a rule to use the internal user database for enable, I need to
ensure that my test user is in the internal user database with the proper
credential set. I'll navigate to Work Centers, Network Access, and then Identities.
Once that page loads, I'll select Network Access users from the navigation pane on
the left.
In my example, the internal network access user database is empty. You may see an
entry for employee1 in your lab. If so, click on the employee1 entry instead of
adding a new entry. I'll click on Add to create a new entry for employee1. The user
name will be employee1.
Under passwords, I'll leave the password type as internal users. And then I'll
enter in a log in password of ISEIsCOOL in the password and re-enter password
fields. After that, I'll enter in an enable password of Cisco123 in the password
and re-enter password fields for that. After that, I'll scroll to the bottom of the
page and click on Submit to create this new entry. I see employee1 now shows in the
list and a success message shows down below.
Now I'm ready to test out this feature. I'll open up an old terminal session to the
3K access switch that is timed out, but I'll restart the session. To log in, I'll
use employee1 and a log in password of ISEIsCOOL, which is the password set for
employee1 in the Active Directory for demo.local.
OK. The lab doesn't address this, but I see an issue after logging in. Employee1
starts off at privilege level 15 by default. So if I try to use the enable command,
I'm not prompted for an enable password, because I'm already there. This is because
employees have already been assigned a TACACS profile where the default privilege
level is 15.
To correct that problem, I'll return to the ISE admin portal, and then navigate to
Work Centers, Device Administration, and Policy Elements. Then I'll click on
Results, and then TACACS profiles. Then I'll select the entry for privilege level
15 to edit that profile.
Here I can see the default privilege value is 15. I will click on the dropdown
arrow and set the default privilege to be 1. Then I'll scroll to the bottom of the
page and click Save. Now I'll start another terminal session to the 3K access
switch. I'll log in again as employee1 with the login and password of ISEIsCOOL.
And now since the default privilege was set to 1, I am now in user mode.
And now when I try to enable to enter into privilege level 15 mode, I'll use the
same AD password of ISEIsCOOL. This fails because ISE was used to set the internal
user database for enable, and employee1's enable password in the internal user
database is Cisco123.
I'll try to enable it again, but this time I'll enter in the password of Cisco123.
And now I'm successful. I'll minimize the terminal session and return to the ISE
admin portal. Then I'll navigate to Operations, TACACS, and then Live Logs. In the
log, I see the entries for when employee1 logged in and the authentication policy
applied was IOS devices, and the rule was login password.
Then I see a fail authentication entry for IOS devices and rule-enabled password.
Clicking on Details shows me that authentication failed because of a wrong
password. Clicking on Details for the latest authentication event, I can see that
it was successful, because I entered the correct password based on the internal
user database.
The second feature that we'll look at is the TACACS inline password change ability.
To see that feature, I'll open a new terminal session to the 3K access switch. For
this session, I'll log in as employee2. But now I will invoke the password change
feature by pressing Enter when I'm prompted for a password.
Now that the feature has been activated, I'm asked to enter the old password for
employee2, which was ISEIsCOOL. Then I'm asked to enter the new password. I'll set
the new password to be ISEIsReallyCOOL. Then I'll type it in again to confirm the
new password.
Next, I'll close the current terminal session and start a new one. I'll log in as
employee2 again and will type the former password of ISEIsCOOL. That is no longer
the login password for employee2, and I get an error message.
Now I'll type the new log in password of ISEIsReallyCOOL. And my new password is
recognized, and I'm able to log in successfully. I'll return to the TACACS live
logs and refresh the screen.
Clicking Details for the failed authentication attempt indicates that I used the
wrong password since I had just changed it a few moments earlier. Of course, the
next entry shows a successful authentication since I used my newly set password for
that occasion.