Tacacs+ Cisco ISE config

L3 Networker

Tacacs+ Cisco ISE config

Does anyone know how to configure the cisco ISE side? We can use tacacs now to access the gui but only local usernames and passwords work when trying to access the CLI using SSH. Does anyone have a complete cisco ISE setup? I found a guide to set up palo alto on the cisco ACS platform but ACS is end of life.
Tags (3)
L4 Transporter

Re: Tacacs+ Cisco ISE config

What are the settings in your admin role? Do they include CLI?

L0 Member

Re: Tacacs+ Cisco ISE config


I just got TACACS+ working with my ISE deployment.  Here are the steps:


1) Configure your PA Firewall following these steps: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/configure-tacacs-authentica...

***Important Note #1: In step 4 of this document it specifies a role.  You can use a prebuilt or a custom role, but it is critical you note the name in order to for ISE to reference the VSA configuration in your shell profile.


2) I had already configured TACACS+ device administration on my ISE deployment, so check the admin guide for those directions.


3) Add the PA firewall as a network resource on ISE.  Configure, IP, name pre-shared key, and check the TACACS+ as the protocol.  Create any Network Device Groups for reference in the policy.


4) Create a Palo Alto custom TACACS profile.  Reference this document: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-types/tacacs...

For Custom Attributes you’ll need to make the type ‘MANDATORY’, use the requisite name in the document above and the Value is whatever role you specified in the note in step one on the PANOS > Device > Admin Roles. 


So an example of this would be:


TACACS Profile Custom Attribute

‘MANDATORY’ - ‘PaloAlto-Admin-Role’ - <insert firewall defined custom or default Admin Role>


5) Create a policy set that references your group of PA firewalls under conditions of the policy.  Choose your identity source for authentication.  For authorization, set your conditions and reference the shell profile in step 4. 

This allowed me to authenticate using AD via ISE TACACS+ based on existing identities in ISE and roles set on the Palo Alto Firewall. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!