Imixholo fihla
1 Cisco TACACS+ Uhlalutyo lweNethiwekhi ekhuselekileyo
2 Intshayelelo
3 Ukulungiselela
4 Iindima zabasebenzisi ziphelileview
5 Inkqubo Iphelileview
6 Ukulungisa ingxaki
7 FAQ
8 Amaxwebhu / Izibonelelo
8.1 Iimbekiselo

Cisco-LOGO

Cisco TACACS+ Uhlalutyo lweNethiwekhi ekhuselekileyo

Cisco-TACACS+-Secure-Network-Analytics-PRODUCT

Intshayelelo

Terminal Access Controller Access-Control System (TACACS+) is a protocol that supports authentication and authorization services and allows a user to access multiple applications with one set of credentials. Use the following instructions to configure TACACS+ for Cisco Secure Network Analytics (formerly Stealth watch).

Abaphulaphuli
The intended audience for this guide includes network administrators and other personnel who are responsible for installing and configuring Secure Network Analytics products. If you prefer to work with a professional installer, please contact your local Cisco Partner or contact Cisco Support.

Isigama
This guide uses the term “appliance” for any Secure Network Analytics product, including virtual products such as the Cisco Secure Network Analytics Flow Sensor Virtual Edition. A “cluster” is your group of Secure Network Analytics appliances that are managed by the Cisco Secure Network Analytics Manager (formerly Steal thwatch Management Console or SMC).

In v7.4.0 we rebranded our Cisco Stealth watch Enterprise products to Cisco Secure Network Analytics. For a complete list, refer to the Release Notes. In this guide, you will see our former product name Stealth watch, used whenever necessary to maintain clarity, as well as terminology such as Stealth watch Management Console and SMC.

Ukuhambelana
For TACACS+ authentication and authorization, make sure all users log in through the Manager. To log in to an appliance directly and use the Appliance Administration, log in locally. The following features are not available when TACACS+ is enabled: FIPS, Compliance Mode.

Ulawulo lweeMpendulo
Ulawulo lweMpendulo luqwalaselwe kuMphathi wakho. Ukufumana izilumkiso ze-imeyile, iingxelo ezicwangcisiweyo, njl. qiniseka ukuba umsebenzisi uqwalaselwe njengomsebenzisi wendawo kuMphathi. Yiya kuLungiselelo> Ukufunyanwa> Ulawulo lweeMpendulo, kwaye ubhekisele kuNcedo lwemiyalelo.

Ukusilela
Nceda uqaphele olu lwazi lulandelayo ukuba uqwalasele Abaphathi bakho njengepere:

  • TACACS+ is only available on the primary Manager. TACACS+ is not supported on the secondary Manager.
  • If TACACS+ is configured on the primary Manager, the TACACS+ user information is not available on the secondary Manager. Before you can use configured external authentication services on a secondary Manager, you need to promote the secondary Manager to primary.
  • If you promote the secondary Manager to primary:
  • Enable TACACS+ and remote authorization on the secondary Manager.
  • Any external users logged into the demoted primary Manager will be logged out.
  • The secondary Manager does not retain user data from the primary Manager, so any data saved on the primary Manager is not available on the new (promoted) primary Manager.
  • Once the remote user logs in to the new primary Manager for the first time, the user directories will be created and the data is saved going forward.
  • Review Imiyalelo yeFailover: Ngolwazi oluthe kratya, bhekisa kwiFailover Configuration Guide.

Ukulungiselela

You can configure TACACS+ on Cisco Identity Services Engine (ISE). We recommend using Cisco Identity Services Engine (ISE) for centralized authentication and authorization. However, you can also deploy a standalone TACACS+ server or integrate any other compatible authentication server according to your specific requirements.

Qinisekisa ukuba unayo yonke into oyifunayo ukuqalisa uqwalaselo.

Imfuneko Iinkcukacha
I-Cisco Identity Services Engine (ISE) Install and configure ISE using the instructions in the ISE documentation for your engine.You will need the IP address, port, and shared secret key for the configuration. You will also need the Device Administration license.
Iseva ye-TACACS+ Uya kufuna idilesi ye-IP, izibuko, kunye nesitshixo esiyimfihlo ekwabelwana ngaso kuqwalaselo.
Umxhasi weDesktop You will use the Desktop Client for this configuration if you want to use custom desktop roles. To install the Desktop Client, refer to the Cisco Secure Network Analytics ISikhokelo soLungiselelo lweNkqubo that matches your Secure Network Analytics version.

Iindima zabasebenzisi ziphelileview

Esi sikhokelo siquka imiyalelo yokuqwalasela abasebenzisi bakho be-TACACS+ kuqinisekiso olukude kunye nogunyaziso. Ngaphambi kokuba uqalise uqwalaselo, phindaview iinkcukacha kweli candelo ukuqinisekisa ukuba uqwalasele abasebenzisi bakho ngokuchanekileyo.

Ukuqwalasela Amagama Abasebenzisi
Ukuqinisekisa okude kunye nogunyaziso, ungaqwalasela abasebenzisi bakho kwi-ISE. Ngoqinisekiso lwasekhaya kunye nogunyaziso, qwalasela abasebenzisi bakho kuMphathi.

  • Remote: To configure your users in ISE, follow the instructions in this configuration guide.
  • Local: To configure your users locally only, log in to the Manager. From the main menu, select Configure > Global > User Management. Select Help for instructions.

Amagama aSebenzisi anovakalelo
Xa uqwalasela abasebenzisi abakude, yenza uvakalelo lwemeko kwiseva ekude. Ukuba awukwenzi uvakalelo lwemeko kwiseva ekude, abasebenzisi basenokungakwazi ukufikelela kwiidatha zabo xa bengena kwi-Secure Network Analytics.

Aphindiweyo amagama abasebenzisi

  • Whether you configure user names remotely (in ISE) or locally (in the Manager), make sure all user names are unique. We do not recommend duplicating user names across remote servers and Secure  Network Analytics.
  • Ukuba umsebenzisi ungena kuMphathi, kwaye banegama elifanayo lomsebenzisi elicwangcisiweyo kwi-Secure Network Analytics kunye ne-ISE, baya kufikelela kuphela kuMphathi wabo wendawo / uKhuseleko lweData yoHlalutyi lweNethiwekhi. Abakwazi ukufikelela kwidatha yabo ekude ye-TACACS+ ukuba igama labo lomsebenzisi liphindwe kabini.

Iinguqulelo zangaphambili

  • If you’ve configured TACACS+ in an earlier version of Cisco Secure Network Analytics (Steal thwatch v7.1.1 and earlier), make sure you create new users with unique names for v7.1.2 and later. We do not recommend using or duplicating the user names from earlier versions of Secure Network Analytics.
  • Ukuqhubekeka usebenzisa amagama abasebenzisi adalwe kwi-v7.1.1 nangaphambili, sicebisa ukuba uwatshintshe ukuya kwindawo kuphela kuMphathi wakho oyintloko kunye noMxhasi weDesktop. Jonga kuNcedo ngemiyalelo.

Ukuqwalasela amaqela esazisi kunye nabasebenzisi
Ngegama lomsebenzisi ogunyazisiweyo, uya kwenza imephu yeqokobhe profiles kubasebenzisi bakho. Kwiqokobhe ngalinye profile, unokwabela indima yoLawulo oluPhambili okanye wenze udibaniso lweendima ezingezizo ezolawulo. Ukuba unikezela indima yoMlawuli oyiNtloko kwiqokobhe leprofile, akukho nxaxheba eyongezelelweyo evunyelweyo. Ukuba udala indibaniselwano yeendima ezingezizo ezolawulo, qiniseka ukuba iyahlangabezana neemfuno.

Indima yoMlawuli oPhambili
Umlawuli oyintloko unako view konke ukusebenza kunye nokutshintsha nantoni na. Ukuba unikezela indima yoMlawuli oyiNtloko kwiqokobhe leprofile, akukho nxaxheba eyongezelelweyo evunyelweyo.

Indima Ixabiso lophawu
Primary Admin cisco-stealth watch-master-admin

Indibaniselwano yeendima ezingezizo ezoLawulo
Ukuba wenza indibaniselwano yeendima ezingezizo ezolawulo kwiqokobhe lakho profile, qiniseka ukuba ibandakanya oku kulandelayo:

  • 1 Data role (only)
  • 1 okanye ngaphezulu Web indima
  • I-1 okanye ngaphezulu indima yoMxumi weDesktop

Ngeenkcukacha, jonga kwitheyibhile yophawu lweMigangatho.

Ukuba unikezela indima yoMlawuli oyiNtloko kwiqokobhe leprofile, akukho nxaxheba eyongezelelweyo evunyelweyo. Ukuba udala indibaniselwano yeendima ezingezizo ezolawulo, qiniseka ukuba iyahlangabezana neemfuno.

Iimpawu zophawu
Ukuze ufumane inkcazelo engakumbi malunga nodidi ngalunye lwendima, cofa ikhonkco elikuluhlu lweendima ezifunekayo.

Required Roles Ixabiso lophawu
1 Data role (only)
  •  cisco-stealth watch-all-data-read-and-write
  • cisco-stealth watch-all-data-read-only
1 okanye ngaphezulu Web indima
  • cisco-stealth watch-configuration-manager
  • cisco-stealth watch-power-analyst
  • cisco-stealth watch-analyst
I-1 okanye ngaphezulu indima yoMxumi weDesktop
  • cisco-stealth watch-desktop-stealth watch-power-user
  • cisco-stealth watch-desktop-configuration-manager
  • cisco-stealth watch-desktop-network-engineer
  • cisco-stealth watch-desktop-security-analyst

Iindima isishwankathelo
Sinike isishwankathelo sendima nganye kwezi theyibhile zilandelayo. Ukufumana ulwazi oluthe kratya malunga neendima zomsebenzisi kwi-Secure Network Analytics, review i Ulawulo lomsebenzisi iphepha kuNcedo.

Iindima zeDatha
Qinisekisa ukuba ukhetha indima enye kuphela idatha.

Indima yeDatha Iimvume
 

Yonke iDatha (Funda Kuphela)

 Umsebenzisi unako view data kuyo nayiphi indawo okanye iqela lenginginya, okanye kuso nasiphi na isixhobo okanye isixhobo, kodwa ayikwazi ukwenza naluphi na uqwalaselo.
 

Yonke iDatha (Funda & Bhala)

 Umsebenzisi unako view kwaye uqwalasele idatha kuyo nayiphi na indawo okanye iqela lokusingatha, okanye nakwesiphi na isixhobo okanye isixhobo.

Umsebenzi othile (ukukhangela ukuhamba, ulawulo lomgaqo-nkqubo, ukuhlelwa kwenethiwekhi, njl. njl.) anokuthi umsebenzisi angakwazi view kunye/okanye uqwalaselo lumiselwa ngumsebenzisi web indima.

Web Iindima

Web Indima Iimvume
Umhlalutyi wamandla Umhlalutyi waMandla unokwenza uphando lokuqala kwi-traffic kunye nokuhamba kunye nokuqulunqa imigaqo-nkqubo kunye namaqela abamba.
Umphathi woqwalaselo UMlawuli woqwalaselo unako view uqwalaselo olunxulumene nomsebenzi.
Umhlalutyi Umhlalutyi unokwenza uphando lokuqala kwi-traffic kunye nokuhamba.

Iindima zoMxumi kwi-Desktop

Web Indima Iimvume
Umphathi woqwalaselo UMlawuli woqwalaselo unako view zonke izinto zemenyu kwaye uqwalasele zonke izixhobo, izixhobo, kunye noseto lommandla.
INjineli yeNethiwekhi INjineli yeNethiwekhi inako view yonke imiba yemenyu enxulumene netrafikhi ngaphakathi koMthengi weDesktop, fakela i-alam kunye nengithi amanqaku, kwaye wenze zonke iintshukumo ze-alam, ngaphandle kokunciphisa.
Umhlalutyi wezoKhuseleko Umhlalutyi woKhuseleko unako view zonke izinto zemenyu enxulumene nokhuseleko, faka i-alam kunye namanqaku okusingatha, kwaye wenze zonke iintshukumo ze-alam, kuquka nokunciphisa.
Khusela uMsebenzisi waMandla woHlalutya lweNethiwekhi Umsebenzisi waMandla oKhuselekileyo woHlaziyo lweNethiwekhi unako view zonke izinto zemenyu, vuma ii-alam, kwaye udibanise i-alam kunye namanqaku okusingatha, kodwa ngaphandle kokukwazi ukutshintsha nantoni na.

Inkqubo Iphelileview

Ungaqwalasela iCisco ISE ukunika iTACACS+. Ukuqwalasela ngempumelelo useto lwe-TACACS+ kwaye ugunyazise i-TACACS+ kwi-Secure Network Analytics, qiniseka ukuba ugqibezela ezi nkqubo zilandelayo:

Configure TACACS+ in ISE
Sebenzisa le miyalelo ilandelayo ukuqwalasela i-TACACS+ kwi-ISE. Olu lungelelwaniso lwenza ukuba abasebenzisi bakho abakude be-TACACS+ kwi-ISE bangene kwi-Secure Network Analytics.

Ngaphambi kokuba Uqale
Phambi kokuba uqalise le miyalelo, faka kwaye uqwalasele i-ISE usebenzisa imiyalelo ekuxwebhu lwe-ISE lwenjini yakho. Oku kubandakanya ukuqiniseka ukuba izatifikethi zakho zimiselwe ngokuchanekileyo.

Amagama abasebenzisi

  • Nokuba uqwalasela amagama abasebenzisi ukude (kwi-ISE) okanye ekuhlaleni (kuMphathi), qinisekisa ukuba onke amagama abasebenzisi awodwa. Asikukhuthazi ukuphinda-phinda amagama abasebenzisi kuzo zonke iiseva ezikude kunye noHlalutyo oluKhuselekileyo lweNethiwekhi.
  • Duplicated User Names: If a user logs in to the Manager, and they have the same user name configured in Secure Network Analytics and ISE, they will only access their local Manager/Secure Network
  • Analytics data. They cannot access their remote TACACS+ data if their user name is duplicated.
  • Amagama oMsebenzisi aNxamnye nemeko: Xa uqwalasela abasebenzisi abakude, yenza uvakalelo lwemeko kwiseva ekude. Ukuba awukwenzi uvakalelo lwemeko kwiseva ekude, abasebenzisi basenokungakwazi ukufikelela kwiidatha zabo xa bengena kwi-Secure Network Analytics.

Iindima zabasebenzisi
Kwi-TACACS+ profile kwi-ISE, unokwabela indima yoLawulo oluPhambili okanye wenze indibaniselwano yeendima ezingezizo ezolawulo.

Ukuba unikezela indima yoMlawuli oyiNtloko kwiqokobhe leprofile, akukho nxaxheba eyongezelelweyo evunyelweyo. Ukuba udala indibaniselwano yeendima ezingezizo ezolawulo, qiniseka ukuba iyahlangabezana neemfuno. Ngolwazi oluthe vetshe malunga neendima zabasebenzisi, jonga kwi- User Roles Overview.

Enable Device Administration in ISE
Sebenzisa le miyalelo ilandelayo ukongeza inkonzo ye-TACACS+ kwi-ISE.

  1. Log in to your ISE as an admin.
  2. Select Work Centers > Device Administration > Overview.
    If Device Administration is not shown in Work Centers, go to Administration System > Licensing. In the Licensing section, confirm the Device Administration License is shown. If it is not shown, add the license to your account.
  3.  Select Deployment.Cisco-TACACS+-Secure-Network-Analytics- (1)
  4. Select All Policy Service Nodes or Specific Nodes.
  5. In the TACACS Ports field, enter 49. Cisco-TACACS+-Secure-Network-Analytics- (2)
  6. Cofa Gcina.

 Create TACACS+ Profiles
Sebenzisa le miyalelo ilandelayo ukongeza i-TACACS+ iqokobhe leprofiles ukuya ISE. Uya kusebenzisa le miyalelo ukwabela iindima ezifunekayo kwiqokobhe profile.

  1. Select Work Centers > Device Administration > Policy Elements.
  2. Select Results > TACACS Profiles.
  3. Cofa Yongeza.
  4. In the Name field, enter a unique user name.
    Ukufumana iinkcukacha malunga namagama abasebenzisi bhekisa kwiiNdima zoMsebenzisi ngaphezuluview. Cisco-TACACS+-Secure-Network-Analytics- (3)
  5. In the Common Task Type drop-down, select Shell.
  6. In the Custom Attributes section, click Add.
  7. In the Type field, select Mandatory.
  8. In the Name field, enter role.
  9. In the Value field, enter the attribute value for Primary Admin or build a combination of non-admin roles.
    • Save: Click the Check icon to save the role.
    • Combination of Non-Admin Roles: If you create a combination of non-admin roles, repeat steps 5 through 8 until you have added a row for each required role (Data role, Web indima, kunye nendima yoMthengi weDesktop).

Cisco-TACACS+-Secure-Network-Analytics- (4)

Indima yoMlawuli oPhambili
Umlawuli oyintloko unako view konke ukusebenza kunye nokutshintsha nantoni na. Ukuba unikezela indima yoMlawuli oyiNtloko kwiqokobhe leprofile, akukho nxaxheba eyongezelelweyo evunyelweyo.

Indima Ixabiso lophawu
Primary Admin cisco-stealth watch-master-admin

Indibaniselwano yeendima ezingezizo ezoLawulo

Ukuba wenza indibaniselwano yeendima ezingezizo ezolawulo kwiqokobhe lakho profile, qiniseka ukuba ibandakanya oku kulandelayo:

  • 1 Data role (only): make sure you select only one data role
  • 1 okanye ngaphezulu Web indima
  • I-1 okanye ngaphezulu indima yoMxumi weDesktop
Required Roles Ixabiso lophawu
 

1 Data role (only)
  • cisco-stealth watch-all-data-read-and-write
  • cisco-stealth watch-all-data-read-only
 

1 okanye ngaphezulu Web indima
  • cisco-stealth watch-configuration-manager
  • cisco-stealth watch-power-analyst
  • cisco-stealth watch-analyst
 

I-1 okanye ngaphezulu indima yoMxumi weDesktop
  • cisco-stealth watch-desktop-stealth watch-power-user
  • cisco-stealth watch-desktop-configuration-manager
  • cisco-stealth watch-desktop-network-engineer
  • cisco-stealth watch-desktop-security-analyst

Ukuba unikezela indima yoMlawuli oyiNtloko kwiqokobhe leprofile, akukho nxaxheba eyongezelelweyo evunyelweyo. Ukuba udala indibaniselwano yeendima ezingezizo ezolawulo, qiniseka ukuba iyahlangabezana neemfuno.

Cofa Gcina.

  1. Repeat the steps in 2. Create TACACS+ Profiles to add any additional TACACS+ shell profiles ukuya ISE.

Phambi kokuba uqhubekele ku-3. Imephu yeShell Profiles ukuya kuMaqela okanye Abasebenzisi, kufuneka udale Abasebenzisi, Iqela leSazisi soMsebenzisi (ukhetho), kunye ne-TACACS+ iiseti zomyalelo. Ukufumana imiyalelo malunga nendlela yokwenza abasebenzisi, iQela leSazisi soMsebenzisi, kunye ne-TACACS+ iiseti zomyalelo, bhekisa kuxwebhu lwe-ISE lwenjini yakho.

 Map Shell Profiles ukuya kumaQela okanye Abasebenzisi
Sebenzisa le miyalelo ilandelayo ukwenza imephu yepro yakho yeqokobhefiles kwimithetho yakho yogunyaziso.

  1. Select Work Centers > Device Administration > Device Admin Policy Sets.
  2. Locate your policy set name. Click the Cisco-TACACS+-Secure-Network-Analytics- (5)Arrow icon.
  3. Locate your authorization policy. Click theCisco-TACACS+-Secure-Network-Analytics- (5)Arrow icon.
  4. Click the + Plus icon.Cisco-TACACS+-Secure-Network-Analytics- (6)
  5. In the Conditions field, click the + Plus icon. Configure the policy conditions.
    • User Identity Group: If you have configured a user identity group, you can create a condition such as “Internal User.Identity Group”.
      Umzekeloample, “Internal User. Identity Group EQUALS <Group Name>” to match a specific user identity group.
    • Individual User: If you have configured an individual user, you can create a condition such as “Internal User. Name”.
      Umzekeloample, “Internal User. Name EQUALS <User Name>” to match a specific user.
      Help: For Conditions Studio instructions, click the ? Help icon.
  6. In the Shell Profiles indawo, khetha iqokobhe profile udale kwi-2. Yenza i-TACACS + Profiles.
  7. Repeat the steps in 3. Map Shell Profiles kuMaqela okanye Abasebenzisi ude ube wenze imephu yeqokobhe lonke profiles kwimithetho yakho yogunyaziso.

Add Secure Network Analytics as a Network Device

  1. Select Administration > Network Resources > Network Devices.
  2. Select Network Devices, click +Add.
  3. Complete the information for your primary Manager, including the following fields:
    • Name: Enter the name of your Manager.
    • IP Address: Enter the Manager IP address.
    • Shared Secret: Enter the shared secret key.
  4. Cofa Gcina.
  5. Confirm the network device is saved to the Network Devices list.Cisco-TACACS+-Secure-Network-Analytics- (7)
  6. Go to 2. Enable TACACS+ Authorization in Secure Network Analytics.

Enable TACACS+ Authorization in Secure

Uhlalutyo lwenethiwekhi
Sebenzisa le miyalelo ilandelayo ukongeza iseva ye-TACACS+ kwi-Secure Network Analytics kwaye uvule ugunyaziso olukude.
Kuphela nguMlawuli oyiNtloko onokongeza iseva ye-TACACS+ kwi-Secure Network Analytics.
Unokongeza kuphela i-TACACS+server enye kwi-TACACS+ inkonzo yoqinisekiso.

  1. Ngena kuMphathi wakho ophambili.
  2. From the main menu, select Configure > Global > User Management.
  3. Click the Authentication and Authorization tab.
  4. Click Create. Select Authentication Service.
  5. Click the Authentication Service drop-down. Select TACACS+.
  6. Complete the fields:
    Intsimi Amanqaku
    Authentication Service
    Igama Ngenisa igama elilodwa ukuchonga umncedisi.
    Inkcazo Ngenisa inkcazo echaza ukuba iseva isetyenziswa njani okanye kutheni.
    Ixesha leCache (imizuzwana) Ubungakanani bexesha (ngemizuzwana) ukuba igama lomsebenzisi okanye igama lokugqitha lithathwa njengelisemthethweni phambi kokuba i-Secure Network Analytics ifune ukungena kwakhona kolwazi.
    Isimaphambili Lo mmandla uyakhethwa. Umtya wesimaphambili ubekwe ekuqaleni kwegama lomsebenzisi xa igama lithunyelwa kwi-RADIUS okanye kwi-TACACS+ iseva. Umzekeloample, if the user name is zoe and the realm prefix is DOMAIN-
    A\, the user name DOMAIN-A\zoe is sent to the server. If you do not configure the Prefix field, only the user name is sent to the server.
    Isimamva Lo mmandla uyakhethwa. Umtya wesimamva ubekwe ekupheleni kwegama lomsebenzisi. Umzekeloample, if the suffix is  mydomain.com, the username zoe@mydomain.com is sent to the TACACS+ server. If you do not configure the Suffix field, only the user name is sent to the server.
    Iseva
    Idilesi yeIP Sebenzisa nokuba yi IPv4 okanye IPv6 iidilesi xa uqwalasela iinkonzo zoqinisekiso.
    Izibuko Faka nawaphi na amanani ukusuka kwi-0 ukuya kwi-65535 ehambelana ne-port esebenzayo.
    Isitshixo esiyimfihlo Ngenisa iqhosha eliyimfihlo elilungiselelwe iseva esebenzayo.
  7.  Cofa Gcina.
    The new TACACS+ server is added, and information for the server displays.
  8.  Click the Actions menu for the TACACS+ server.
  9. Select Enable Remote Authorization from the drop-down menu.
  10. Follow the on-screen prompts to enable TACACS+.

Test Remote TACACS+ User Login
Sebenzisa le miyalelo ilandelayo ukungena kuMphathi. Ngogunyaziso olukude lwe-TACACS+, qiniseka ukuba bonke abasebenzisi bangena ngoMphathi.

To log in to an appliance directly and use the Appliance Administration, log in locally.

  1. In the address field of your browser, type the following: https://followed by the IP address of your Manager.
  2. Enter the user name and password of a remote TACACS+ user.
  3. Ukuba umsebenzisi akakwazi ukungena kuMphathi, phindaview icandelo leNgxaki.

Ukulungisa ingxaki

Ukuba udibana nayo nayiphi na kwezi meko zokusombulula ingxaki, qhagamshelana nomlawuli wakho ukuze uphindeview uqwalaselo kunye nezisombululo esizinike apha. Ukuba umlawuli wakho akakwazi ukusombulula imiba, nceda uqhagamshelane Cisco Support.

Iimeko

Imeko Amanqaku
A specific TACACS+ user cannot log in
  •  Review the Audit Log for user login failure with Illegal Mappings or Ayisebenzi Combination of Roles. This can happen if the identity group shell profile includes Primary Admin and additional roles, or if the combination of non-admin roles does not meet the requirements. Refer to Iindima zabasebenzisi Ngaphezuluview ngeenkcukacha.
  •  Make sure the TACACS+ user name is not the same as a local (Secure Network Analytics) user name. Refer to Iindima zabasebenzisi ziphelileview ngeenkcukacha.
Bonke abasebenzisi be-TACACS+ abanakungena
  •  Check the TACACS+ configuration in Secure Network Analytics.
  •  Check the configuration on the TACACS+ server.
  •  Make sure the TACACS+ server is running.
  •  Make sure the TACACS+ service is enabled in Secure Network Analytics:
  •  There can be multiple authentication servers defined, but only one can be enabled for authorization. Refer to 2. Enable TACACS+ Authorization in Uhlalutyo lweNethiwekhi ekhuselekileyo ngeenkcukacha.
  •  To enable authorization for a specific TACACS+ server, refer to 2. Yenza TACACS+ Authorization in Secure Uhlalutyo lwenethiwekhi ngeenkcukacha.
 

Xa umsebenzisi eloga ngaphakathi, banokufikelela kuphela kuMphathi wasekhaya

 If a user exists with the same user name in Secure Network Analytics (local) and the TACACS+ server (remote), the local login overrides the remote login. Refer to Iindima zabasebenzisi ziphelileview ngeenkcukacha.

Ukuqhagamshelana neNkxaso
Ukuba ufuna inkxaso yobugcisa, nceda wenze enye yezi zilandelayo:

Guqula iMbali

Inguqulelo yoXwebhu Umhla wokuPapashwa Inkcazo
1_0 Nge-21 ka-Agasti 2025 Inguqulelo yokuqala.

Ulwazi lwelungelo lokushicilela
I-Cisco kunye ne-logo yeCisco ziimpawu zorhwebo okanye iimpawu zorhwebo ezibhalisiweyo zeCisco kunye/okanye namahlakani ayo e-US nakwamanye amazwe. Ukuya view uluhlu lweempawu zorhwebo zeCisco, yiya kule URL: https://www.cisco.com/go/trademarks. Iimpawu zokuthengisa zomntu wesithathu ezikhankanyiweyo ziyipropathi yabanini bazo. Ukusetyenziswa kwegama elithi iqabane akuthethi ukuba ubudlelwane phakathi kweCisco kunye nayo nayiphi na enye inkampani. (1721R)

© 2025 Cisco Systems, Inc. kunye/okanye namahlakani ayo. Onke Amalungelo Agciniwe.

FAQ

Can TACACS+ be used with Compliance Mode enabled?

No, TACACS+ authentication and authorization do not support Compliance Mode. Ensure Compliance Mode is disabled when using TACACS+.

Amaxwebhu / Izibonelelo

Cisco TACACS+ Uhlalutyo lweNethiwekhi ekhuselekileyo [pdf] Isikhokelo somsebenzisi
7.5.3, i-TACACS i-Secure Network Analytics, i-TACACS, i-Network ekhuselekileyo, i-Network Analytics, i-Analytics

Iimbekiselo

Shiya uluvo

Idilesi yakho ye-imeyile ayizupapashwa. Iindawo ezifunekayo ziphawulwe *