Cisco TACACS+ Secure Network Analytics

Introduction

Terminal Access Controller Access-Control System (TACACS+) is a protocol that supports authentication and authorization services and allows a user to access multiple applications with one set of credentials. Use the following instructions to configure TACACS+ for Cisco Secure Network Analytics (formerly Stealth watch).

Audience
The intended audience for this guide includes network administrators and other personnel who are responsible for installing and configuring Secure Network Analytics products. If you prefer to work with a professional installer, please contact your local Cisco Partner or contact Cisco Support.

Terminology
This guide uses the term “appliance” for any Secure Network Analytics product, including virtual products such as the Cisco Secure Network Analytics Flow Sensor Virtual Edition. A “cluster” is your group of Secure Network Analytics appliances that are managed by the Cisco Secure Network Analytics Manager (formerly Steal thwatch Management Console or SMC).

In v7.4.0 we rebranded our Cisco Stealth watch Enterprise products to Cisco Secure Network Analytics. For a complete list, refer to the Release Notes. In this guide, you will see our former product name Stealth watch, used whenever necessary to maintain clarity, as well as terminology such as Stealth watch Management Console and SMC.

Compatibility
For TACACS+ authentication and authorization, make sure all users log in through the Manager. To log in to an appliance directly and use the Appliance Administration, log in locally. The following features are not available when TACACS+ is enabled: FIPS, Compliance Mode.

Response Management
Response Management is configured in your Manager. To receive email alerts, scheduled reports, etc. make sure the user is configured as a local user on the Manager. Go to Configure > Detection > Response Management, and refer to the Help for instructions.

Failover
Please note the following information if you’ve configured your Managers as a failover pair:

• TACACS+ is only available on the primary Manager. TACACS+ is not supported on the secondary Manager.
• If TACACS+ is configured on the primary Manager, the TACACS+ user information is not available on the secondary Manager. Before you can use configured external authentication services on a secondary Manager, you need to promote the secondary Manager to primary.
• If you promote the secondary Manager to primary:
• Enable TACACS+ and remote authorization on the secondary Manager.
• Any external users logged into the demoted primary Manager will be logged out.
• The secondary Manager does not retain user data from the primary Manager, so any data saved on the primary Manager is not available on the new (promoted) primary Manager.
• Once the remote user logs in to the new primary Manager for the first time, the user directories will be created and the data is saved going forward.
• Review Failover Instructions: For more information, refer to the Failover Configuration Guide.

Preparation

You can configure TACACS+ on Cisco Identity Services Engine (ISE). We recommend using Cisco Identity Services Engine (ISE) for centralized authentication and authorization. However, you can also deploy a standalone TACACS+ server or integrate any other compatible authentication server according to your specific requirements.

Make sure you have everything you need to start the configuration.

Requirement	Details
Cisco Identity Services Engine (ISE)	Install and configure ISE using the instructions in the ISE documentation for your engine.You will need the IP address, port, and shared secret key for the configuration. You will also need the Device Administration license.
TACACS+ Server	You will need the IP address, port, and shared secret key for the configuration.
Desktop Client	You will use the Desktop Client for this configuration if you want to use custom desktop roles. To install the Desktop Client, refer to the Cisco Secure Network Analytics System Configuration Guide that matches your Secure Network Analytics version.

User Roles Overview

This guide includes instructions for configuring your TACACS+ users for remote authentication and authorization. Before you start the configuration, review the details in this section to ensure you configure your users correctly.

Configuring User Names
For remote authentication and authorization, you can configure your users in ISE. For local authentication and authorization, configure your users in the Manager.

• Remote: To configure your users in ISE, follow the instructions in this configuration guide.
• Local: To configure your users locally only, log in to the Manager. From the main menu, select Configure > Global > User Management. Select Help for instructions.

Case-Sensitive User Names
When you configure remote users, enable case-sensitivity on the remote server. If you do not enable case-sensitivity on the remote server, users may not be able to access their data when they log in to Secure Network Analytics.

Duplicated User Names

• Whether you configure user names remotely (in ISE) or locally (in the Manager), make sure all user names are unique. We do not recommend duplicating user names across remote servers and Secure  Network Analytics.
• If a user logs in to the Manager, and they have the same user name configured in Secure Network Analytics and ISE, they will only access their local Manager/Secure Network Analytics data. They cannot access their remote TACACS+ data if their user name is duplicated.

Earlier Versions

• If you’ve configured TACACS+ in an earlier version of Cisco Secure Network Analytics (Steal thwatch v7.1.1 and earlier), make sure you create new users with unique names for v7.1.2 and later. We do not recommend using or duplicating the user names from earlier versions of Secure Network Analytics.
• To continue using user names that were created in v7.1.1 and earlier, we recommend changing them to local only in your primary Manager and the Desktop Client. Refer to the Help for instructions.

Configuring Identity Groups and Users
For an authorized user login, you will map shell profiles to your users. For each shell profile, you can assign the Primary Admin role or create a combination of non-admin roles. If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements.

Primary Admin Role
Primary Admin can view all functionality and change anything. If you assign the Primary Admin role to a shell profile, no additional roles are permitted.

Role	Attribute Value
Primary Admin	cisco-stealth watch-master-admin

Combination of Non-Admin Roles
If you create a combination of non-admin roles for your shell profile, make sure it includes the following:

• 1 Data role (only)
• 1 or more Web role
• 1 or more Desktop Client role

For details, refer to the Attribute Values table.

If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements.

Attribute Values
For more information about each type of role, click the link in the Required Roles column.

Required Roles	Attribute Value
1 Data role (only)	cisco-stealth watch-all-data-read-and-write cisco-stealth watch-all-data-read-only
1 or more Web role	cisco-stealth watch-configuration-manager cisco-stealth watch-power-analyst cisco-stealth watch-analyst
1 or more Desktop Client role	cisco-stealth watch-desktop-stealth watch-power-user cisco-stealth watch-desktop-configuration-manager cisco-stealth watch-desktop-network-engineer cisco-stealth watch-desktop-security-analyst

Roles Summary
We’ve provided a summary of each role in the following tables. For more information about user roles in Secure Network Analytics, review the User Management page in Help.

Data Roles
Make sure you choose only one data role.

Data Role	Permissions
All Data (Read Only)	The user can view data in any domain or host group, or on any appliance or device, but cannot make any configurations.
All Data (Read & Write)	The user can view and configure data in any domain or host group, or on any appliance or device.

The specific functionality (flow search, policy management, network classification, etc.) that the user can view and/or configure is determined by the user’s web role.

Web Roles

Web Role	Permissions
Power Analyst	The Power Analyst can perform the initial investigation into traffic and flows as well as configure policies and host groups.
Configuration Manager	The Configuration Manager can view configuration-related functionality.
Analyst	The Analyst can perform the initial investigation into traffic and flows.

Desktop Client Roles

Web Role	Permissions
Configuration Manager	The Configuration Manager can view all menu items and configure all appliances, devices, and domain settings.
Network Engineer	The Network Engineer can view all traffic-related menu items within the Desktop Client, append alarm and host notes, and perform all alarm actions, except mitigation.
Security Analyst	The Security Analyst can view all security-related menu items, append alarm and host notes, and perform all alarm actions, including mitigation.
Secure Network Analytics Power User	The Secure Network Analytics Power User can view all menu items, acknowledge alarms, and append alarm and host notes, but without the ability to change anything.

Process Overview

You can configure Cisco ISE to provide TACACS+. To successfully configure TACACS+ settings and authorize TACACS+ in Secure Network Analytics, make sure you complete the following procedures:

Configure TACACS+ in ISE
Use the following instructions to configure TACACS+ on ISE. This configuration enables your remote TACACS+ users on ISE to log in to Secure Network Analytics.

Before you Begin
Before you start these instructions, install and configure ISE using the instructions in the ISE documentation for your engine. This includes making sure your certificates are set up correctly.

User Names

• Whether you configure user names remotely (in ISE) or locally (in the Manager), make sure all user names are unique. We do not recommend duplicating user names across remote servers and Secure Network Analytics.
• Duplicated User Names: If a user logs in to the Manager, and they have the same user name configured in Secure Network Analytics and ISE, they will only access their local Manager/Secure Network
• Analytics data. They cannot access their remote TACACS+ data if their user name is duplicated.
• Case-Sensitive User Names: When you configure remote users, enable case-sensitivity on the remote server. If you do not enable case-sensitivity on the remote server, users may not be able to access their data when they log in to Secure Network Analytics.

User Roles
For each TACACS+ profile in ISE, you can assign the Primary Admin role or create a combination of non-admin roles.

If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements. For more information about user roles, refer to User Roles Overview.

Enable Device Administration in ISE
Use the following instructions to add the TACACS+ service to ISE.

1. Log in to your ISE as an admin.
2. Select Work Centers > Device Administration > Overview.
   If Device Administration is not shown in Work Centers, go to Administration System > Licensing. In the Licensing section, confirm the Device Administration License is shown. If it is not shown, add the license to your account.
3.  Select Deployment.
4. Select All Policy Service Nodes or Specific Nodes.
5. In the TACACS Ports field, enter 49.
6. Click Save.

 Create TACACS+ Profiles
Use the following instructions to add TACACS+ shell profiles to ISE. You will also use these instructions to assign the required roles to the shell profile.

1. Select Work Centers > Device Administration > Policy Elements.
2. Select Results > TACACS Profiles.
3. Click Add.
4. In the Name field, enter a unique user name.
   For details about user names refer to User Roles Overview.
5. In the Common Task Type drop-down, select Shell.
6. In the Custom Attributes section, click Add.
7. In the Type field, select Mandatory.
8. In the Name field, enter role.
9. In the Value field, enter the attribute value for Primary Admin or build a combination of non-admin roles.
   • Save: Click the Check icon to save the role.
   • Combination of Non-Admin Roles: If you create a combination of non-admin roles, repeat steps 5 through 8 until you have added a row for each required role (Data role, Web role, and Desktop Client role).

Primary Admin Role
Primary Admin can view all functionality and change anything. If you assign the Primary Admin role to a shell profile, no additional roles are permitted.

Role	Attribute Value
Primary Admin	cisco-stealth watch-master-admin

Combination of Non-Admin Roles

If you create a combination of non-admin roles for your shell profile, make sure it includes the following:

• 1 Data role (only): make sure you select only one data role
• 1 or more Web role
• 1 or more Desktop Client role

Required Roles	Attribute Value
1 Data role (only)	cisco-stealth watch-all-data-read-and-write cisco-stealth watch-all-data-read-only
1 or more Web role	cisco-stealth watch-configuration-manager cisco-stealth watch-power-analyst cisco-stealth watch-analyst
1 or more Desktop Client role	cisco-stealth watch-desktop-stealth watch-power-user cisco-stealth watch-desktop-configuration-manager cisco-stealth watch-desktop-network-engineer cisco-stealth watch-desktop-security-analyst

If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements.

Click Save.

1. Repeat the steps in 2. Create TACACS+ Profiles to add any additional TACACS+ shell profiles to ISE.

Before you proceed to 3. Map Shell Profiles to Groups or Users, you need to create Users, User Identity Group (optional), and TACACS+ command sets. For instructions on how to create Users, User Identity Group, and TACACS+ command sets, refer to ISE documentation for your engine.

 Map Shell Profiles to Groups or Users
Use the following instructions to map your shell profiles to your authorization rules.

1. Select Work Centers > Device Administration > Device Admin Policy Sets.
2. Locate your policy set name. Click the Arrow icon.
3. Locate your authorization policy. Click theArrow icon.
4. Click the + Plus icon.
5. In the Conditions field, click the + Plus icon. Configure the policy conditions.
   • User Identity Group: If you have configured a user identity group, you can create a condition such as “Internal User.Identity Group”.
     For example, “Internal User. Identity Group EQUALS <Group Name>” to match a specific user identity group.
   • Individual User: If you have configured an individual user, you can create a condition such as “Internal User. Name”.
     For example, “Internal User. Name EQUALS <User Name>” to match a specific user.
     Help: For Conditions Studio instructions, click the ? Help icon.
6. In the Shell Profiles field, select the shell profile you created in 2. Create TACACS+ Profiles.
7. Repeat the steps in 3. Map Shell Profiles to Groups or Users until you have mapped all shell profiles to your authorization rules.

Add Secure Network Analytics as a Network Device

1. Select Administration > Network Resources > Network Devices.
2. Select Network Devices, click +Add.
3. Complete the information for your primary Manager, including the following fields:
   • Name: Enter the name of your Manager.
   • IP Address: Enter the Manager IP address.
   • Shared Secret: Enter the shared secret key.
4. Click Save.
5. Confirm the network device is saved to the Network Devices list.
6. Go to 2. Enable TACACS+ Authorization in Secure Network Analytics.

Enable TACACS+ Authorization in Secure

Network Analytics
Use the following instructions to add the TACACS+ server to Secure Network Analytics and enable remote authorization.
Only a Primary Admin can add the TACACS+ server to Secure Network Analytics.
You can add only one TACACS+server to the TACACS+ authentication service.

1. Log in to your primary Manager.
2. From the main menu, select Configure > Global > User Management.
3. Click the Authentication and Authorization tab.
4. Click Create. Select Authentication Service.
5. Click the Authentication Service drop-down. Select TACACS+.
6. Complete the fields:
   

   Field	Notes
   Authentication Service
   Name	Enter a unique name to identify the server.
   Description	Enter a description which specifies how or why the server is being used.
   Cache Timeout (Seconds)	The amount of time (in seconds) that a user name or password is considered valid before Secure Network Analytics requires re-entry of the information.
   Prefix	This field is optional. The prefix string is placed at the beginning of the user name when the name is sent to the RADIUS or TACACS+ server. For example, if the user name is zoe and the realm prefix is DOMAIN-

   	A\, the user name DOMAIN-A\zoe is sent to the server. If you do not configure the Prefix field, only the user name is sent to the server.
   Suffix	This field is optional. The suffix string is placed at end of the user name. For example, if the suffix is  mydomain.com, the username zoe@mydomain.com is sent to the TACACS+ server. If you do not configure the Suffix field, only the user name is sent to the server.
   Server
   IP Address	Use either IPv4 or IPv6 addresses when configuring authentication services.
   Port	Enter any numbers from 0 to 65535 which correspond to the applicable port.
   Secret Key	Enter the secret key that was configured for the applicable server.

7.  Click Save.
   The new TACACS+ server is added, and information for the server displays.
8.  Click the Actions menu for the TACACS+ server.
9. Select Enable Remote Authorization from the drop-down menu.
10. Follow the on-screen prompts to enable TACACS+.

Test Remote TACACS+ User Login
Use the following instructions to log in to the Manager. For remote TACACS+ authorization, make sure all users log in through the Manager.

To log in to an appliance directly and use the Appliance Administration, log in locally.

1. In the address field of your browser, type the following: https://followed by the IP address of your Manager.
2. Enter the user name and password of a remote TACACS+ user.
3. If a user cannot log in to the Manager, review the Troubleshooting section.

Troubleshooting

If you encounter any of these troubleshooting scenarios, contact your administrator to review the configuration with the solutions we’ve provided here. If your admin cannot resolve the issues, please contact Cisco Support.

Scenarios

Scenario	Notes
A specific TACACS+ user cannot log in	Review the Audit Log for user login failure with Illegal Mappings or Invalid Combination of Roles. This can happen if the identity group shell profile includes Primary Admin and additional roles, or if the combination of non-admin roles does not meet the requirements. Refer to User Roles Overview for details.  Make sure the TACACS+ user name is not the same as a local (Secure Network Analytics) user name. Refer to User Roles Overview for details.
All TACACS+ users cannot log in	Check the TACACS+ configuration in Secure Network Analytics.  Check the configuration on the TACACS+ server.  Make sure the TACACS+ server is running.  Make sure the TACACS+ service is enabled in Secure Network Analytics:  There can be multiple authentication servers defined, but only one can be enabled for authorization. Refer to 2. Enable TACACS+ Authorization in Secure Network Analytics for details.  To enable authorization for a specific TACACS+ server, refer to 2. Enable TACACS+ Authorization in Secure Network Analytics for details.

When a user logs in, they can only accesses the Manager locally

If a user exists with the same user name in Secure Network Analytics (local) and the TACACS+ server (remote), the local login overrides the remote login. Refer to User Roles Overview for details.

Contacting Support
If you need technical support, please do one of the following:

• Contact your local Cisco Partner
• Contact Cisco Support
• To open a case by web: http://www.cisco.com/c/en/us/support/index.html
• For phone support: 1-800-553-2447 (U.S.)
• For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Change History

Document Version	Published Date	Description
1_0	August 21, 2025	Initial version.

Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

FAQ

Can TACACS+ be used with Compliance Mode enabled?

No, TACACS+ authentication and authorization do not support Compliance Mode. Ensure Compliance Mode is disabled when using TACACS+.

Documents / Resources

Cisco TACACS+ Secure Network Analytics [pdf] User Guide 7.5.3, TACACS Secure Network Analytics, TACACS, Secure Network Analytics, Network Analytics, Analytics

References

• User Manual