I recently ran into this issue at work where we wanted connect a Cisco Catalyst Center (CatC) to a Cisco Identity Service Engine (ISE) server. There is a ISE integration, but for this use case we only want to connect the CatC to ISE using TACACS.
Begin by logging into the maglev console of the CatC. When you are logged in there you can enter the following command to allow login via external IDP and local admin users:
magctl rbac external_auth_fallback enableGo to System > Settings and then to External Services > Authentication and Policy Servers. There you can add your ISE server as a AAA TACACS server.
Then you can go to System > Users & roles and select your new TACACS server as the primary AAA server. Then enable “Enable External User”.
That should be it for the CatC side. Now for the ISE side:
You need to create a “TACACS Profile” for the CatC role that you want to assign the user to.
Note that the “Role” specified here will be the role that the user is assigned to in CatC.
Then create the relevant Device Admin Policy Set.
Done!
Leave a Reply