Cisco TACACS+ Secure Network Analytics User Guide

The Cisco Secure Network Analytics, also known as Stealthwatch,
utilizes the Terminal Access Controller Access-Control System
(TACACS+) protocol for authentication and authorization services.
It allows users to access multiple applications with a single set
of credentials.

Product Usage Instructions

Introduction

To configure TACACS+ for Cisco Secure Network Analytics, follow
the steps outlined in this guide.

Audience

This guide is intended for network administrators and personnel
responsible for installing and configuring Secure Network Analytics
products. For professional installation, contact a local Cisco
Partner or Cisco Support.

Terminology

The guide refers to the product as an appliance, including
virtual products like the Cisco Secure Network Analytics Flow
Sensor Virtual Edition. Clusters are groups of appliances managed
by the Cisco Secure Network Analytics Manager.

Compatibility

Ensure all users log in through the Manager for TACACS+
authentication and authorization. Some features like FIPS and
Compliance Mode are not available when TACACS+ is enabled.

Response Management

Configure Response Management in the Manager to receive email
alerts, reports, etc. Users need to be configured as local users on
the Manager for this feature.

Failover

When using Managers in a failover pair, note that TACACS+ is
only available on the primary Manager. If configured on the primary
Manager, TACACS+ is not supported on the secondary Manager. Promote
the secondary Manager to primary to use external authentication
services on it.

FAQ

Q: Can TACACS+ be used with Compliance Mode enabled?

A: No, TACACS+ authentication and authorization do not support
Compliance Mode. Ensure Compliance Mode is disabled when using
TACACS+.

“`

View Fullscreen

Cisco Secure Network Analytics
TACACS+ Configuration Guide 7.5.3

Table of Contents

Introduction

Audience

Terminology

Compatibility

Response Management

Failover

Preparation

User Roles Overview

Configuring User Names

Case-Sensitive User Names

Duplicated User Names

Earlier Versions

Configuring Identity Groups and Users

Primary Admin Role

Combination of Non-Admin Roles

Attribute Values

Roles Summary

Data Roles

Web Roles

Desktop Client Roles

Process Overview

1. Configure TACACS+ in ISE

Before you Begin

User Names

User Roles

1. Enable Device Administration in ISE

2. Create TACACS+ Profiles

Primary Admin Role

-2-

Combination of Non-Admin Roles

3. Map Shell Profiles to Groups or Users

4. Add Secure Network Analytics as a Network Device

2. Enable TACACS+ Authorization in Secure Network Analytics

3. Test Remote TACACS+ User Login

Troubleshooting

Scenarios

Contacting Support

Change History

-3-

Introduction
Introduction
Terminal Access Controller Access-Control System (TACACS+) is a protocol that supports authentication and authorization services and allows a user to access multiple applications with one set of credentials. Use the following instructions to configure TACACS+ for Cisco Secure Network Analytics (formerly Stealthwatch).
Audience
The intended audience for this guide includes network administrators and other personnel who are responsible for installing and configuring Secure Network Analytics products.
If you prefer to work with a professional installer, please contact your local Cisco Partner or contact Cisco Support.
Terminology
This guide uses the term “appliance” for any Secure Network Analytics product, including virtual products such as the Cisco Secure Network Analytics Flow Sensor Virtual Edition.
A “cluster” is your group of Secure Network Analytics appliances that are managed by the Cisco Secure Network Analytics Manager (formerly Stealthwatch Management Console or SMC).
In v7.4.0 we rebranded our Cisco Stealthwatch Enterprise products to Cisco Secure Network Analytics. For a complete list, refer to the Release Notes. In this guide, you will see our former product name, Stealthwatch, used whenever necessary to maintain clarity, as well as terminology such as Stealthwatch Management Console and SMC.

-4-

Introduction
Compatibility
For TACACS+ authentication and authorization, make sure all users log in through the Manager. To log in to an appliance directly and use the Appliance Administration, log in locally.
The following features are not available when TACACS+ is enabled: FIPS, Compliance Mode.
Response Management
Response Management is configured in your Manager. To receive email alerts, scheduled reports, etc. make sure the user is configured as a local user on the Manager. Go to Configure > Detection > Response Management, and refer to the Help for instructions.
Failover
Please note the following information if you’ve configured your Managers as a failover pair:
l TACACS+ is only available on the primary Manager. TACACS+ is not supported on the secondary Manager.
l If TACACS+ is configured on the primary Manager, the TACACS+ user information is not available on the secondary Manager. Before you can use configured external authentication services on a secondary Manager, you need to promote the secondary Manager to primary.
l If you promote the secondary Manager to primary:
l Enable TACACS+ and remote authorization on the secondary Manager. l Any external users logged into the demoted primary Manager will be logged
out. l The secondary Manager does not retain user data from the primary Manager,
so any data saved on the primary Manager is not available on the new (promoted) primary Manager. l Once the remote user logs in to the new primary Manager for the first time, the user directories will be created and the data is saved going forward.
l Review Failover Instructions: For more information, refer to the Failover Configuration Guide.

-5-

Preparation

Preparation
You can configure TACACS+ on Cisco Identity Services Engine (ISE).
We recommend using Cisco Identity Services Engine (ISE) for centralized authentication and authorization. However, you can also deploy a standalone TACACS+ server or integrate any other compatible authentication server according to your specific requirements.
Make sure you have everything you need to start the configuration.

Requirement Cisco Identity Services Engine (ISE) TACACS+ Server Desktop Client

Details
Install and configure ISE using the instructions in the ISE documentation for your engine.
You will need the IP address, port, and shared secret key for the configuration. You will also need the Device Administration license.
You will need the IP address, port, and shared secret key for the configuration.
You will use the Desktop Client for this configuration if you want to use custom desktop roles. To install the Desktop Client, refer to the Cisco Secure Network Analytics System Configuration Guide that matches your Secure Network Analytics version.

-6-

User Roles Overview
User Roles Overview
This guide includes instructions for configuring your TACACS+ users for remote authentication and authorization. Before you start the configuration, review the details in this section to ensure you configure your users correctly.
Configuring User Names
For remote authentication and authorization, you can configure your users in ISE. For local authentication and authorization, configure your users in the Manager.
l Remote: To configure your users in ISE, follow the instructions in this configuration guide.
l Local: To configure your users locally only, log in to the Manager. From the main menu, select Configure > Global > User Management. Select Help for instructions.
Case-Sensitive User Names
When you configure remote users, enable case-sensitivity on the remote server. If you do not enable case-sensitivity on the remote server, users may not be able to access their data when they log in to Secure Network Analytics.
Duplicated User Names
Whether you configure user names remotely (in ISE) or locally (in the Manager), make sure all user names are unique. We do not recommend duplicating user names across remote servers and Secure Network Analytics.
If a user logs in to the Manager, and they have the same user name configured in Secure Network Analytics and ISE, they will only access their local Manager/Secure Network Analytics data. They cannot access their remote TACACS+ data if their user name is duplicated.
Earlier Versions
If you’ve configured TACACS+ in an earlier version of Cisco Secure Network Analytics (Stealthwatch v7.1.1 and earlier), make sure you create new users with unique names for v7.1.2 and later. We do not recommend using or duplicating the user names from earlier versions of Secure Network Analytics.
To continue using user names that were created in v7.1.1 and earlier, we recommend changing them to local only in your primary Manager and the Desktop Client. Refer to the Help for instructions.

-7-

User Roles Overview

Configuring Identity Groups and Users
For an authorized user login, you will map shell profiles to your users. For each shell profile, you can assign the Primary Admin role or create a combination of non-admin roles. If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements.
Primary Admin Role
Primary Admin can view all functionality and change anything. If you assign the Primary Admin role to a shell profile, no additional roles are permitted.

Role Primary Admin

Attribute Value cisco-stealthwatch-master-admin

Combination of Non-Admin Roles
If you create a combination of non-admin roles for your shell profile, make sure it includes the following:
l 1 Data role (only) l 1 or more Web role l 1 or more Desktop Client role
For details, refer to the Attribute Values table.
If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements.

-8-

User Roles Overview

Attribute Values
For more information about each type of role, click the link in the Required Roles column.

Required Roles 1 Data role (only)
1 or more Web role
1 or more Desktop Client role

Attribute Value
l cisco-stealthwatch-all-data-read-and-write l cisco-stealthwatch-all-data-read-only
l cisco-stealthwatch-configuration-manager l cisco-stealthwatch-power-analyst l cisco-stealthwatch-analyst
l cisco-stealthwatch-desktop-stealthwatch-power-user l cisco-stealthwatch-desktop-configuration-manager l cisco-stealthwatch-desktop-network-engineer l cisco-stealthwatch-desktop-security-analyst

Roles Summary
We’ve provided a summary of each role in the following tables. For more information about user roles in Secure Network Analytics, review the User Management page in Help.
Data Roles
Make sure you choose only one data role.

Data Role

Permissions

All Data (Read Only)

The user can view data in any domain or host group, or on any appliance or device, but cannot make any configurations.

All Data (Read & Write)

The user can view and configure data in any domain or host group, or on any appliance or device.

The specific functionality (flow search, policy management, network classification, etc.) that the user can view and/or configure is determined by the user’s web role.

-9-

User Roles Overview

Web Roles

Web Role

Permissions

Power Analyst

The Power Analyst can perform the initial investigation into traffic and flows as well as configure policies and host groups.

Configuration Manager

The Configuration Manager can view configuration-related functionality.

Analyst

The Analyst can perform the initial investigation into traffic and flows.

Desktop Client Roles

Web Role

Permissions

Configuration Manager

The Configuration Manager can view all menu items and configure all appliances, devices, and domain settings.

Network Engineer

The Network Engineer can view all traffic-related menu items within the Desktop Client, append alarm and host notes, and perform all alarm actions, except mitigation.

Security Analyst

The Security Analyst can view all security-related menu items, append alarm and host notes, and perform all alarm actions, including mitigation.

Secure Network Analytics Power User

The Secure Network Analytics Power User can view all menu items, acknowledge alarms, and append alarm and host notes, but without the ability to change anything.

– 10 –

Process Overview
Process Overview
You can configure Cisco ISE to provide TACACS+. To successfully configure TACACS+ settings and authorize TACACS+ in Secure Network Analytics, make sure you complete the following procedures:
1. Configure TACACS+ in ISE 2. Enable TACACS+ Authorization in Secure Network Analytics 3. Test Remote TACACS+ User Login

– 11 –

1. Configure TACACS+ in ISE
1. Configure TACACS+ in ISE
Use the following instructions to configure TACACS+ on ISE. This configuration enables your remote TACACS+ users on ISE to log in to Secure Network Analytics.
Before you Begin
Before you start these instructions, install and configure ISE using the instructions in the ISE documentation for your engine. This includes making sure your certificates are set up correctly.
User Names
Whether you configure user names remotely (in ISE) or locally (in the Manager), make sure all user names are unique. We do not recommend duplicating user names across remote servers and Secure Network Analytics.
Duplicated User Names: If a user logs in to the Manager, and they have the same user name configured in Secure Network Analytics and ISE, they will only access their local Manager/Secure Network Analytics data. They cannot access their remote TACACS+ data if their user name is duplicated.
Case-Sensitive User Names: When you configure remote users, enable case-sensitivity on the remote server. If you do not enable case-sensitivity on the remote server, users may not be able to access their data when they log in to Secure Network Analytics.
User Roles
For each TACACS+ profile in ISE, you can assign the Primary Admin role or create a combination of non-admin roles.
If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements. For more information about user roles, refer to User Roles Overview.
1. Enable Device Administration in ISE
Use the following instructions to add the TACACS+ service to ISE.
1. Log in to your ISE as an admin. 2. Select Work Centers > Device Administration > Overview.

– 12 –

1. Configure TACACS+ in ISE
If Device Administration is not shown in Work Centers, go to Administration > System > Licensing. In the Licensing section, confirm the Device Administration License is shown. If it is not shown, add the license to your account. 3. Select Deployment.
4. Select All Policy Service Nodes or Specific Nodes. 5. In the TACACS Ports field, enter 49.

6. Click Save.
2. Create TACACS+ Profiles
Use the following instructions to add TACACS+ shell profiles to ISE. You will also use these instructions to assign the required roles to the shell profile.
1. Select Work Centers > Device Administration > Policy Elements. 2. Select Results > TACACS Profiles. 3. Click Add. 4. In the Name field, enter a unique user name.
For details about user names refer to User Roles Overview.

– 13 –

1. Configure TACACS+ in ISE
5. In the Common Task Type drop-down, select Shell. 6. In the Custom Attributes section, click Add. 7. In the Type field, select Mandatory. 8. In the Name field, enter role. 9. In the Value field, enter the attribute value for Primary Admin or build a combination
of non-admin roles. l Save: Click the Check icon to save the role. l Combination of Non-Admin Roles: If you create a combination of non-admin roles, repeat steps 5 through 8 until you have added a row for each required role (Data role, Web role, and Desktop Client role).

– 14 –

1. Configure TACACS+ in ISE

Primary Admin Role
Primary Admin can view all functionality and change anything. If you assign the Primary Admin role to a shell profile, no additional roles are permitted.

Role Primary Admin

Attribute Value cisco-stealthwatch-master-admin

Combination of Non-Admin Roles
If you create a combination of non-admin roles for your shell profile, make sure it includes the following:
l 1 Data role (only): make sure you select only one data role l 1 or more Web role l 1 or more Desktop Client role

Required Roles 1 Data role (only)
1 or more Web role
1 or more Desktop Client role

If you assign the Primary Admin role to a shell profile, no additional roles are permitted. If you create a combination of non-admin roles, make sure it meets the requirements.
10. Click Save. 11. Repeat the steps in 2. Create TACACS+ Profiles to add any additional TACACS+
shell profiles to ISE.

– 15 –

1. Configure TACACS+ in ISE
Before you proceed to 3. Map Shell Profiles to Groups or Users, you need to create Users, User Identity Group (optional), and TACACS+ command sets. For instructions on how to create Users, User Identity Group, and TACACS+ command sets, refer to ISE documentation for your engine.
3. Map Shell Profiles to Groups or Users
Use the following instructions to map your shell profiles to your authorization rules.
1. Select Work Centers > Device Administration > Device Admin Policy Sets. 2. Locate your policy set name. Click the Arrow icon. 3. Locate your authorization policy. Click the Arrow icon. 4. Click the + Plus icon.

5. In the Conditions field, click the + Plus icon. Configure the policy conditions.
l User Identity Group: If you have configured a user identity group, you can create a condition such as “InternalUser.IdentityGroup”.
For example, “InternalUser.IdentityGroup EQUALS <GroupName>” to match a specific user identity group.
l Individual User: If you have configured an individual user, you can create a condition such as “InternalUser.Name”.
For example, “InternalUser.Name EQUALS <UserName>” to match a specific user.

– 16 –

1. Configure TACACS+ in ISE
Help: For Conditions Studio instructions, click the ? Help icon.
6. In the Shell Profiles field, select the shell profile you created in 2. Create TACACS+ Profiles.
7. Repeat the steps in 3. Map Shell Profiles to Groups or Users until you have mapped all shell profiles to your authorization rules.

– 17 –

1. Configure TACACS+ in ISE
4. Add Secure Network Analytics as a Network Device
1. Select Administration > Network Resources > Network Devices. 2. Select Network Devices, click +Add. 3. Complete the information for your primary Manager, including the following fields:
l Name: Enter the name of your Manager. l IP Address: Enter the Manager IP address. l Shared Secret: Enter the shared secret key. 4. Click Save. 5. Confirm the network device is saved to the Network Devices list.
6. Go to 2. Enable TACACS+ Authorization in Secure Network Analytics.

– 18 –

2. Enable TACACS+ Authorization in Secure Network Analytics

2. Enable TACACS+ Authorization in Secure Network Analytics
Use the following instructions to add the TACACS+ server to Secure Network Analytics and enable remote authorization.
Only a Primary Admin can add the TACACS+ server to Secure Network Analytics.

You can add only one TACACS+server to the TACACS+ authentication service.
1. Log in to your primary Manager. 2. From the main menu, select Configure > Global > User Management. 3. Click the Authentication and Authorization tab. 4. Click Create. Select Authentication Service. 5. Click the Authentication Service drop-down. Select TACACS+. 6. Complete the fields:

Field Authentication Service Name Description
Cache Timeout (Seconds)
Prefix

Notes
Enter a unique name to identify the server.
Enter a description which specifies how or why the server is being used.
The amount of time (in seconds) that a user name or password is considered valid before Secure Network Analytics requires re-entry of the information.
This field is optional. The prefix string is placed at the beginning of the user name when the name is sent to the RADIUS or TACACS+ server. For example, if the user name is zoe and the realm prefix is DOMAIN-

– 19 –

Suffix
Server IP Address Port Secret Key

2. Enable TACACS+ Authorization in Secure Network Analytics
A, the user name DOMAIN-Azoe is sent to the server. If you do not configure the Prefix field, only the user name is sent to the server.
This field is optional. The suffix string is placed at end of the user name. For example, if the suffix is @mydomain.com, the username zoe@mydomain.com is sent to the TACACS+ server. If you do not configure the Suffix field, only the user name is sent to the server.
Use either IPv4 or IPv6 addresses when configuring authentication services.
Enter any numbers from 0 to 65535 which correspond to the applicable port.
Enter the secret key that was configured for the applicable server.

7. Click Save. The new TACACS+ server is added, and information for the server displays.
8. Click the Actions menu for the TACACS+ server. 9. Select Enable Remote Authorization from the drop-down menu. 10. Follow the on-screen prompts to enable TACACS+.

– 20 –

3. Test Remote TACACS+ User Login
3. Test Remote TACACS+ User Login
Use the following instructions to log in to the Manager. For remote TACACS+ authorization, make sure all users log in through the Manager.
To log in to an appliance directly and use the Appliance Administration, log in locally. 1. In the address field of your browser, type the following:
https:// followed by the IP address of your Manager.
2. Enter the user name and password of a remote TACACS+ user. 3. Click Sign In.
If a user cannot log in to the Manager, review the Troubleshooting section.

– 21 –

Troubleshooting

Troubleshooting
If you encounter any of these troubleshooting scenarios, contact your administrator to review the configuration with the solutions we’ve provided here. If your admin cannot resolve the issues, please contact Cisco Support.
Scenarios

Scenario A specific TACACS+ user cannot log in
All TACACS+ users cannot log in

Notes
l Review the Audit Log for user login failure with Illegal Mappings or Invalid Combination of Roles. This can happen if the identity group shell profile includes Primary Admin and additional roles, or if the combination of non-admin roles does not meet the requirements. Refer to User Roles Overview for details.
l Make sure the TACACS+ user name is not the same as a local (Secure Network Analytics) user name. Refer to User Roles Overview for details.
l Check the TACACS+ configuration in Secure Network Analytics.
l Check the configuration on the TACACS+ server.
l Make sure the TACACS+ server is running. l Make sure the TACACS+ service is enabled in
Secure Network Analytics: l There can be multiple authentication servers defined, but only one can be enabled for authorization. Refer to 2.
Enable TACACS+ Authorization in Secure Network Analytics for details. l To enable authorization for a specific TACACS+ server, refer to 2. Enable
TACACS+ Authorization in Secure Network Analytics for details.

– 22 –

Troubleshooting

When a user logs in, they can only accesses the Manager locally

If a user exists with the same user name in Secure Network Analytics (local) and the TACACS+ server (remote), the local login overrides the remote login. Refer to User Roles Overview for details.

– 23 –

Contacting Support
Contacting Support
If you need technical support, please do one of the following: l Contact your local Cisco Partner l Contact Cisco Support l To open a case by web: http://www.cisco.com/c/en/us/support/index.html l For phone support: 1-800-553-2447 (U.S.) l For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

– 24 –

Change History

Document Version 1_0

Published Date August 21, 2025

Change History
Description Initial version.

– 25 –

Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

Documents / Resources

Cisco TACACS+ Secure Network Analytics [pdf] User Guide
7.5.3, TACACS Secure Network Analytics, TACACS, Secure Network Analytics, Network Analytics, Analytics

References

User Manual

Cisco TACACS+ Secure Network Analytics User Guide

TACACS+ Secure Network Analytics

Specifications

Product Information

Product Usage Instructions

Introduction

Audience

Terminology

Compatibility

Response Management

Failover

FAQ

Q: Can TACACS+ be used with Compliance Mode enabled?

Documents / Resources

References

Leave a comment

Cancel reply