Cisco TACACS+ Analiz Rezo An Sekirite

Entwodiksyon

Terminal Access Controller Access-Control System (TACACS+) is a protocol that supports authentication and authorization services and allows a user to access multiple applications with one set of credentials. Use the following instructions to configure TACACS+ for Cisco Secure Network Analytics (formerly Stealth watch).

Odyans lan
The intended audience for this guide includes network administrators and other personnel who are responsible for installing and configuring Secure Network Analytics products. If you prefer to work with a professional installer, please contact your local Cisco Partner or contact Cisco Support.

Tèminoloji
This guide uses the term “appliance” for any Secure Network Analytics product, including virtual products such as the Cisco Secure Network Analytics Flow Sensor Virtual Edition. A “cluster” is your group of Secure Network Analytics appliances that are managed by the Cisco Secure Network Analytics Manager (formerly Steal thwatch Management Console or SMC).

In v7.4.0 we rebranded our Cisco Stealth watch Enterprise products to Cisco Secure Network Analytics. For a complete list, refer to the Release Notes. In this guide, you will see our former product name Stealth watch, used whenever necessary to maintain clarity, as well as terminology such as Stealth watch Management Console and SMC.

Konpatibilite
For TACACS+ authentication and authorization, make sure all users log in through the Manager. To log in to an appliance directly and use the Appliance Administration, log in locally. The following features are not available when TACACS+ is enabled: FIPS, Compliance Mode.

Jesyon Repons
Jesyon Repons lan configuré nan Manadjè ou a. Pou resevwa alèt pa imèl, rapò pwograme, elatriye, asire w ke itilizatè a configuré kòm yon itilizatè lokal sou Manadjè a. Ale nan Konfigire > Deteksyon > Jesyon Repons, epi gade Èd la pou enstriksyon yo.

Failover
Tanpri note enfòmasyon sa yo si ou te konfigire Manadjè ou yo kòm yon pè failover:

• TACACS+ is only available on the primary Manager. TACACS+ is not supported on the secondary Manager.
• If TACACS+ is configured on the primary Manager, the TACACS+ user information is not available on the secondary Manager. Before you can use configured external authentication services on a secondary Manager, you need to promote the secondary Manager to primary.
• If you promote the secondary Manager to primary:
• Enable TACACS+ and remote authorization on the secondary Manager.
• Any external users logged into the demoted primary Manager will be logged out.
• The secondary Manager does not retain user data from the primary Manager, so any data saved on the primary Manager is not available on the new (promoted) primary Manager.
• Once the remote user logs in to the new primary Manager for the first time, the user directories will be created and the data is saved going forward.
• Review Enstriksyon pou Failover: Pou plis enfòmasyon, gade Gid Konfigirasyon Failover la.

Preparasyon

You can configure TACACS+ on Cisco Identity Services Engine (ISE). We recommend using Cisco Identity Services Engine (ISE) for centralized authentication and authorization. However, you can also deploy a standalone TACACS+ server or integrate any other compatible authentication server according to your specific requirements.

Asire w ou gen tout sa ou bezwen pou kòmanse konfigirasyon an.

Egzijans	Detay yo
Motè sèvis idantite Cisco (ISE)	Install and configure ISE using the instructions in the ISE documentation for your engine.You will need the IP address, port, and shared secret key for the configuration. You will also need the Device Administration license.
Sèvè TACACS+	W ap bezwen adrès IP a, pò a, ak kle sekrè pataje a pou konfigirasyon an.
Desktop Kliyan	You will use the Desktop Client for this configuration if you want to use custom desktop roles. To install the Desktop Client, refer to the Cisco Secure Network Analytics Gid Konfigirasyon Sistèm that matches your Secure Network Analytics version.

Wòl itilizatè yo finiview

Gid sa a gen ladan l enstriksyon pou konfigirasyon itilizatè TACACS+ ou yo pou otantifikasyon ak otorizasyon a distans. Anvan ou kòmanse konfigirasyon an, re-view detay ki nan seksyon sa a pou asire ou konfigire itilizatè ou yo kòrèkteman.

Konfigirasyon Non Itilizatè yo
Pou otantifikasyon ak otorizasyon a distans, ou ka konfigire itilizatè ou yo nan ISE. Pou otantifikasyon ak otorizasyon lokal, konfigire itilizatè ou yo nan Manadjè a.

• Remote: To configure your users in ISE, follow the instructions in this configuration guide.
• Local: To configure your users locally only, log in to the Manager. From the main menu, select Configure > Global > User Management. Select Help for instructions.

Non Itilizatè ki Sansib a Ka
Lè w ap konfigire itilizatè aleka yo, aktive sansiblite ka sou sèvè aleka a. Si ou pa aktive sansiblite ka sou sèvè aleka a, itilizatè yo ka pa kapab jwenn aksè a done yo lè yo konekte sou Secure Network Analytics.

Non Itilizatè Doublon

• Whether you configure user names remotely (in ISE) or locally (in the Manager), make sure all user names are unique. We do not recommend duplicating user names across remote servers and Secure  Network Analytics.
• Si yon itilizatè konekte sou Manager la, epi yo gen menm non itilizatè a configuré nan Secure Network Analytics ak ISE, yo pral sèlman jwenn aksè a done Manager/Secure Network Analytics lokal yo. Yo pa ka jwenn aksè a done TACACS+ aleka yo si non itilizatè yo double.

Vèsyon ki pi bonè yo

• If you’ve configured TACACS+ in an earlier version of Cisco Secure Network Analytics (Steal thwatch v7.1.1 and earlier), make sure you create new users with unique names for v7.1.2 and later. We do not recommend using or duplicating the user names from earlier versions of Secure Network Analytics.
• Pou kontinye itilize non itilizatè ki te kreye nan v7.1.1 ak vèsyon anvan yo, nou rekòmande pou chanje yo an lokal sèlman nan Manadjè prensipal ou a ak nan Kliyan Desktop la. Gade Èd la pou enstriksyon yo.

Konfigirasyon Gwoup Idantite ak Itilizatè
Pou yon koneksyon itilizatè otorize, ou pral mape shell profiles pou itilizatè ou yo. Pou chak pwofesyonèl shellfile, ou ka bay wòl Administratè Prensipal la oubyen kreye yon konbinezon wòl ki pa administratè. Si ou bay yon pwofesyonèl shell wòl Administratè Prensipal lafile, pa gen okenn lòt wòl ki otorize. Si ou kreye yon konbinezon wòl ki pa administratè, asire w ke li satisfè egzijans yo.

Wòl Administratè Prensipal
Administratè prensipal la kapab view tout fonksyonalite epi chanje nenpòt bagay. Si ou bay yon pwofesyonèl shell wòl Administratè Prensipal lafile, pa gen okenn lòt wòl ki otorize.

Wòl	Valè Atribi
Primary Admin	cisco-stealth watch-master-admin

Konbinezon wòl ki pa administratè
Si ou kreye yon konbinezon wòl ki pa administratè pou pwofesyonèl shell ou afile, asire w ke li gen ladan l bagay sa yo:

• 1 Data role (only)
• 1 oswa plis Web wòl
• 1 oubyen plis wòl Kliyan Desktop

Pou plis detay, gade tablo Valè Atribi yo.

Si ou asiyen wòl Administratè Prensipal la bay yon pwofesyonèl shellfile, pa gen okenn lòt wòl ki otorize. Si ou kreye yon konbinezon wòl ki pa administratè, asire w ke li satisfè egzijans yo.

Valè Atribi
Pou plis enfòmasyon sou chak kalite wòl, klike sou lyen ki nan kolòn Wòl Obligatwa yo.

Required Roles	Valè Atribi
1 Data role (only)	cisco-stealth watch-all-data-read-and-write cisco-stealth watch-all-data-read-only
1 oswa plis Web wòl	cisco-stealth watch-configuration-manager cisco-stealth watch-power-analyst cisco-stealth watch-analyst
1 oubyen plis wòl Kliyan Desktop	cisco-stealth watch-desktop-stealth watch-power-user cisco-stealth watch-desktop-configuration-manager cisco-stealth watch-desktop-network-engineer cisco-stealth watch-desktop-security-analyst

Rezime Wòl yo
Nou bay yon rezime chak wòl nan tablo ki anba yo. Pou plis enfòmasyon sou wòl itilizatè yo nan Secure Network Analytics, gadeview paj Jesyon Itilizatè a nan seksyon Èd la.

Wòl Done yo
Asire w ou chwazi yon sèl wòl done.

Wòl Done	Otorizasyon
Tout Done (Lekti Sèlman)	Itilizatè a kapab view done nan nenpòt domèn oswa gwoup lame, oswa sou nenpòt aparèy oswa aparèy, men li pa ka fè okenn konfigirasyon.
Tout Done (Li & Ekri)	Itilizatè a kapab view epi konfigire done nan nenpòt domèn oswa gwoup lame, oswa sou nenpòt aparèy oswa aparèy.

Fonksyonalite espesifik (rechèch koule, jesyon règleman, klasifikasyon rezo, elatriye) ke itilizatè a kapab view ak/oswa konfigirasyon an detèmine pa itilizatè a web wòl.

Web Wòl

Web Wòl	Otorizasyon
Analist Pouvwa	Analist pouvwa a ka fè envestigasyon inisyal la sou trafik ak koule yo, epi tou konfigire règleman ak gwoup lame yo.
Manadjè Konfigirasyon	Manadjè Konfigirasyon an kapab view fonksyonalite ki gen rapò ak konfigirasyon.
Analis	Analist la ka fè premye envestigasyon an sou trafik ak koule yo.

Wòl Kliyan Desktop

Web Wòl	Otorizasyon
Manadjè Konfigirasyon	Manadjè Konfigirasyon an kapab view tout atik meni yo epi konfigire tout aparèy, aparèy, ak paramèt domèn yo.
Enjenyè rezo	Enjenyè Rezo a kapab view tout atik meni ki gen rapò ak trafik nan Kliyan Desktop la, ajoute nòt alam ak nòt lame, epi fè tout aksyon alam yo, eksepte mitigasyon.
Analis sekirite	Analist Sekirite a kapab view tout atik meni ki gen rapò ak sekirite, ajoute nòt alam ak nòt lame, epi fè tout aksyon alam yo, ki gen ladan rediksyon.
Itilizatè pwisan analiz rezo an sekirite	Itilizatè pwisan analiz rezo an sekirite a kapab view tout atik meni yo, rekonèt alam yo, epi ajoute nòt alam ak nòt lame a, men san posiblite pou chanje anyen.

Pwosesis finiview

Ou ka konfigire Cisco ISE pou bay TACACS+. Pou konfigire paramèt TACACS+ yo avèk siksè epi otorize TACACS+ nan Secure Network Analytics, asire w ou fin fè pwosedi sa yo:

Configure TACACS+ in ISE
Sèvi ak enstriksyon sa yo pou konfigire TACACS+ sou ISE. Konfigirasyon sa a pèmèt itilizatè TACACS+ a distans ou yo sou ISE konekte sou Secure Network Analytics.

Anvan ou Kòmanse
Anvan ou kòmanse enstriksyon sa yo, enstale epi konfigire ISE a avèk enstriksyon ki nan dokimantasyon ISE a pou motè ou a. Sa gen ladan l asire w ke sètifika ou yo byen konfigire.

Non itilizatè yo

• Kit ou konfigire non itilizatè yo a distans (nan ISE) oswa lokalman (nan Manadjè a), asire w ke tout non itilizatè yo inik. Nou pa rekòmande pou w kopye non itilizatè yo sou sèvè a distans ak Secure Network Analytics.
• Duplicated User Names: If a user logs in to the Manager, and they have the same user name configured in Secure Network Analytics and ISE, they will only access their local Manager/Secure Network
• Analytics data. They cannot access their remote TACACS+ data if their user name is duplicated.
• Non Itilizatè ki Sansib a Ka: Lè w ap konfigire itilizatè aleka yo, aktive sansiblite ka sou sèvè aleka a. Si ou pa aktive sansiblite ka sou sèvè aleka a, itilizatè yo ka pa kapab jwenn aksè a done yo lè yo konekte nan Secure Network Analytics.

Wòl itilizatè
Pou chak pwofesyonèl TACACS+file Nan ISE, ou ka bay wòl Administratè Prensipal la oubyen kreye yon konbinezon wòl ki pa administratè.

Si ou asiyen wòl Administratè Prensipal la bay yon pwofesyonèl shellfile, pa gen okenn lòt wòl ki otorize. Si ou kreye yon konbinezon wòl ki pa administratè, asire w ke li satisfè egzijans yo. Pou plis enfòmasyon sou wòl itilizatè yo, gade Wòl Itilizatè Plis paseview.

Enable Device Administration in ISE
Sèvi ak enstriksyon sa yo pou ajoute sèvis TACACS+ la nan ISE.

1. Log in to your ISE as an admin.
2. Select Work Centers > Device Administration > Overview.
   If Device Administration is not shown in Work Centers, go to Administration System > Licensing. In the Licensing section, confirm the Device Administration License is shown. If it is not shown, add the license to your account.
3.  Select Deployment.
4. Select All Policy Service Nodes or Specific Nodes.
5. In the TACACS Ports field, enter 49.
6. Klike sou Save.

 Create TACACS+ Profiles
Sèvi ak enstriksyon sa yo pou ajoute TACACS+ shell profiles pou ISE. Ou pral sèvi ak enstriksyon sa yo tou pou asiyen wòl ki nesesè yo bay pwofesyonèl shell la.file.

1. Select Work Centers > Device Administration > Policy Elements.
2. Select Results > TACACS Profiles.
3. Klike sou Ajoute.
4. In the Name field, enter a unique user name.
   Pou plis detay sou non itilizatè yo, gade Wòl Itilizatè yo.view.
5. In the Common Task Type drop-down, select Shell.
6. In the Custom Attributes section, click Add.
7. In the Type field, select Mandatory.
8. In the Name field, enter role.
9. In the Value field, enter the attribute value for Primary Admin or build a combination of non-admin roles.
   • Save: Click the Check icon to save the role.
   • Combination of Non-Admin Roles: If you create a combination of non-admin roles, repeat steps 5 through 8 until you have added a row for each required role (Data role, Web wòl, ak wòl Kliyan Desktop).

Wòl Administratè Prensipal
Administratè prensipal la kapab view tout fonksyonalite epi chanje nenpòt bagay. Si ou bay yon pwofesyonèl shell wòl Administratè Prensipal lafile, pa gen okenn lòt wòl ki otorize.

Wòl	Valè Atribi
Primary Admin	cisco-stealth watch-master-admin

Konbinezon wòl ki pa administratè

Si ou kreye yon konbinezon wòl ki pa administratè pou pwofesyonèl shell ou afile, asire w ke li gen ladan l bagay sa yo:

• 1 Data role (only): make sure you select only one data role
• 1 oswa plis Web wòl
• 1 oubyen plis wòl Kliyan Desktop

Required Roles	Valè Atribi
1 Data role (only)	cisco-stealth watch-all-data-read-and-write cisco-stealth watch-all-data-read-only
1 oswa plis Web wòl	cisco-stealth watch-configuration-manager cisco-stealth watch-power-analyst cisco-stealth watch-analyst
1 oubyen plis wòl Kliyan Desktop	cisco-stealth watch-desktop-stealth watch-power-user cisco-stealth watch-desktop-configuration-manager cisco-stealth watch-desktop-network-engineer cisco-stealth watch-desktop-security-analyst

Si ou asiyen wòl Administratè Prensipal la bay yon pwofesyonèl shellfile, pa gen okenn lòt wòl ki otorize. Si ou kreye yon konbinezon wòl ki pa administratè, asire w ke li satisfè egzijans yo.

Klike sou Save.

1. Repeat the steps in 2. Create TACACS+ Profiles to add any additional TACACS+ shell profiles pou ISE.

Anvan ou kontinye nan 3. Map Shell ProfilePou Gwoup oswa Itilizatè, ou bezwen kreye Itilizatè, Gwoup Idantite Itilizatè (opsyonèl), ak ansanm kòmand TACACS+. Pou enstriksyon sou kijan pou kreye Itilizatè, Gwoup Idantite Itilizatè, ak ansanm kòmand TACACS+, gade dokimantasyon ISE pou motè ou a.

 Map Shell Profiles pou Gwoup oswa Itilizatè
Sèvi ak enstriksyon sa yo pou trase yon map shell pro ou a.files nan règ otorizasyon ou yo.

1. Select Work Centers > Device Administration > Device Admin Policy Sets.
2. Locate your policy set name. Click the Arrow icon.
3. Locate your authorization policy. Click theArrow icon.
4. Click the + Plus icon.
5. In the Conditions field, click the + Plus icon. Configure the policy conditions.
   • User Identity Group: If you have configured a user identity group, you can create a condition such as “Internal User.Identity Group”.
     Pou egzanpample, “Internal User. Identity Group EQUALS <Group Name>” to match a specific user identity group.
   • Individual User: If you have configured an individual user, you can create a condition such as “Internal User. Name”.
     Pou egzanpample, “Internal User. Name EQUALS <User Name>” to match a specific user.
     Help: For Conditions Studio instructions, click the ? Help icon.
6. In the Shell Profilejaden s, chwazi pwofesyonèl koki afile ou te kreye nan 2. Kreye TACACS+ Profiles.
7. Repeat the steps in 3. Map Shell Profiles nan Gwoup oswa Itilizatè jiskaske ou fin trase tout pwogram shell yo.files nan règ otorizasyon ou yo.

Add Secure Network Analytics as a Network Device

1. Select Administration > Network Resources > Network Devices.
2. Select Network Devices, click +Add.
3. Complete the information for your primary Manager, including the following fields:
   • Name: Enter the name of your Manager.
   • IP Address: Enter the Manager IP address.
   • Shared Secret: Enter the shared secret key.
4. Klike sou Save.
5. Confirm the network device is saved to the Network Devices list.
6. Go to 2. Enable TACACS+ Authorization in Secure Network Analytics.

Enable TACACS+ Authorization in Secure

Rezo Analytics
Sèvi ak enstriksyon sa yo pou ajoute sèvè TACACS+ la nan Secure Network Analytics epi aktive otorizasyon a distans.
Se sèlman yon Administratè Prensipal ki ka ajoute sèvè TACACS+ la nan Secure Network Analytics.
Ou ka ajoute yon sèl sèvè TACACS+ nan sèvis otantifikasyon TACACS+ la.

1. Log in to your primary Manager.
2. From the main menu, select Configure > Global > User Management.
3. Click the Authentication and Authorization tab.
4. Click Create. Select Authentication Service.
5. Click the Authentication Service drop-down. Select TACACS+.
6. Complete the fields:
   

   Jaden	Nòt
   Authentication Service
   Non	Antre yon non inik pou idantifye sèvè a.
   Deskripsyon	Antre yon deskripsyon ki presize kijan oswa poukisa y ap itilize sèvè a.
   Delè kach (Segond)	Kantite tan (an segonn) yon non itilizatè oswa yon modpas konsidere kòm valab anvan Secure Network Analytics mande pou yo antre enfòmasyon yo ankò.
   Prefiks	Jaden sa a opsyonèl. Yo mete chèn prefiks la nan kòmansman non itilizatè a lè yo voye non an bay sèvè RADIUS oswa TACACS+ la. Pa egzanpample, if the user name is zoe and the realm prefix is DOMAIN-

   	A\, the user name DOMAIN-A\zoe is sent to the server. If you do not configure the Prefix field, only the user name is sent to the server.
   Sifiks	Jaden sa a opsyonèl. Yo mete chèn sifiks la nan fen non itilizatè a. Pa egzanpample, if the suffix is  mydomain.com, the username zoe@mydomain.com is sent to the TACACS+ server. If you do not configure the Suffix field, only the user name is sent to the server.
   Sèvè
   Adrès IP	Sèvi ak adrès IPv4 oswa IPv6 lè w ap konfigire sèvis otantifikasyon yo.
   Port	Antre nenpòt nimewo ant 0 rive 65535 ki koresponn ak pò ki aplikab la.
   Kle sekrè	Antre kle sekrè ki te configuré pou sèvè ki aplikab la.

7.  Klike sou Save.
   The new TACACS+ server is added, and information for the server displays.
8.  Click the Actions menu for the TACACS+ server.
9. Select Enable Remote Authorization from the drop-down menu.
10. Follow the on-screen prompts to enable TACACS+.

Test Remote TACACS+ User Login
Swiv enstriksyon sa yo pou konekte sou Manadjè a. Pou otorizasyon TACACS+ a distans, asire w ke tout itilizatè yo konekte atravè Manadjè a.

To log in to an appliance directly and use the Appliance Administration, log in locally.

1. In the address field of your browser, type the following: https://followed by the IP address of your Manager.
2. Enter the user name and password of a remote TACACS+ user.
3. Si yon itilizatè pa ka konekte nan Manadjè a, re-view seksyon an Depanaj.

Depanaj

Si ou rankontre nenpòt nan sitiyasyon depanaj sa yo, kontakte administratè ou a pou l re-view konfigirasyon an avèk solisyon nou bay yo la a. Si administratè w la pa ka rezoud pwoblèm yo, tanpri kontakte Sipò Cisco.

Senaryo

Senaryo	Nòt
A specific TACACS+ user cannot log in	Review the Audit Log for user login failure with Illegal Mappings or Envalid Combination of Roles. This can happen if the identity group shell profile includes Primary Admin and additional roles, or if the combination of non-admin roles does not meet the requirements. Refer to Wòl itilizatè Plis paseview pou detay.  Make sure the TACACS+ user name is not the same as a local (Secure Network Analytics) user name. Refer to Wòl itilizatè yo finiview pou detay.
Tout itilizatè TACACS+ pa ka konekte.	Check the TACACS+ configuration in Secure Network Analytics.  Check the configuration on the TACACS+ server.  Make sure the TACACS+ server is running.  Make sure the TACACS+ service is enabled in Secure Network Analytics:  There can be multiple authentication servers defined, but only one can be enabled for authorization. Refer to 2. Enable TACACS+ Authorization in Secure Network Analytics pou detay.  To enable authorization for a specific TACACS+ server, refer to 2. Pèmèt TACACS+ Authorization in Secure Rezo Analytics pou detay.

Lè yon itilizatè konekte, li ka sèlman jwenn aksè nan Manadjè a lokalman.

If a user exists with the same user name in Secure Network Analytics (local) and the TACACS+ server (remote), the local login overrides the remote login. Refer to Wòl itilizatè yo finiview pou detay.

Kontakte Sipò
Si w bezwen sipò teknik, tanpri fè youn nan bagay sa yo:

• Kontakte patnè Cisco lokal ou a
• Kontakte Sipò Cisco
• Pou louvri yon ka pa web: http://www.cisco.com/c/en/us/support/index.html
• Pou sipò telefòn: 1-800-553-2447 (US)
• Pou nimewo sipò atravè lemond: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Chanje Istwa

Vèsyon dokiman an	Dat Pibliye	Deskripsyon
1_0	21 out 2025	Premye vèsyon.

Enfòmasyon sou Copyright
Cisco ak logo Cisco a se mak komèsyal oswa mak anrejistre Cisco ak/oswa afilye li yo nan peyi Etazini ak lòt peyi yo. Pou view yon lis mak Cisco, ale nan sa a URL: https://www.cisco.com/go/trademarks. Mak twazyèm pati mansyone yo se pwopriyete pwopriyetè respektif yo. Itilizasyon mo patnè a pa vle di yon relasyon patenarya ant Cisco ak nenpòt lòt konpayi. (1721R)

© 2025 Cisco Systems, Inc. ak/oswa afilye li yo. Tout dwa rezève.

FAQ

Can TACACS+ be used with Compliance Mode enabled?

No, TACACS+ authentication and authorization do not support Compliance Mode. Ensure Compliance Mode is disabled when using TACACS+.

Dokiman / Resous

Cisco TACACS+ Analiz Rezo An Sekirite [pdfGid Itilizatè 7.5.3, TACACS Analiz Rezo An Sekirite, TACACS, Analiz Rezo An Sekirite, Analiz Rezo, Analiz

Referans

• Manyèl itilizatè