Configure TACACS+ Authentication on Arista Switch with ISE

Introduction

This document describes how to integrate Cisco ISE TACACS+ with an Arista switch for centralized AAA of administrator access.

Prerequisites

Cisco recommends that you have knowledge of these topics:

• Cisco ISE and TACACS+ protocol.
• Arista switches

Components Used

The information in this document is based on these software and hardware versions:

• Arista switch Software image version: 4.33.2F
• Cisco Identity Services Engine (ISE) version 3.3 Patch 4

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command

Network Diagram

Configurations

TACACS+ Configuration on ISE

Step 1. The initial step is to verify whether Cisco ISE has the necessary capabilities to handle TACACS+ authentication. To do this, confirm that the desired Policy Service Node (PSN) has the Device Admin Service feature enabled.

Navigate to Administration > System > Deployment, select the appropriate node where ISE processes TACACS+ authentication, and click Edit to review its configuration.

Step 2. Scroll down to locate the Device Administration Service feature. Note that enabling this feature requires the Policy Service persona to be active on the node, along with available TACACS+ licenses in the deployment.

Select the checkbox to enable the feature, then save the configuration.

Step 3. Obtaining the Arista Network Device Profile for Cisco ISE.

The Cisco Community has shared a dedicated NAD profile for Arista devices. This profile, along with the necessary dictionary files, can be found in the article Arista CloudVision WiFi Dictionary and NAD Profile for ISE Integration. Downloading and importing this profile into your ISE setup facilitates smoother integration.​

Steps to Import the Arista NAD Profile into Cisco ISE:

1. Download the Profile:
• Obtain the Arista NAD profile from the Cisco Community link provided above.​Cisco Community
2. Access Cisco ISE:
• Log in to your Cisco ISE administrative console.​
3. Import the NAD Profile:
• Navigate to Administration > Network Resources > Network Device Profiles.​
• Click on the Import button.​
• Upload the downloaded Arista NAD profile file.

After the upload is complete, navigate to the Edit option and enable TACACS+ as a supported protocol.

Step 2: Add Arista Switch as a Network Device.

1. Navigate to Administration > Network Resources > Network Devices> +Add:

2.Click Add and enter these details:

• IP Address: <Switch-IP>
• Device Type: Choose Other Wired
• Network Device Profile: select AirstaCloudVisionWiFi.
• RADIUS Authentication Settings:
  • Enable RADIUS Authentication.
  • Enter the Shared Secret (must match switch configuration).

3. Click Save:

Step 3. Validate the new device is shown under Network Devices:

Step 4. Configure the TACACS profile.

Create a TACACS profile, navigate to the menu Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles, then select Add:

Enter a Name, select the Default Privilege checkbox, and set the value to 15. Additionally, select Maximum Privilege, set its value to 15, and click Submit:

Step 5. Create a Device Admin Policy Set to be used for your Arista Switch, navigate to the menu Work Centers > Device Administration > Device Admin Policy Sets, then from an existent policy set select the gear icon to then select Insert new row above.

Step 6. Name this new Policy Set, add conditions depending upon the characteristics of the TACACS+ authentications that is ongoing from the Arista switch, and select as Allowed Protocols > Default Device Admin, save your configuration.

Step 7. Select in the > view option, then in the Authentication Policy section, select the external identity source that Cisco ISE uses to query the username and credentials for authentication on the Arista switch. In this example, the credentials correspond to Internal Users stored within ISE.

Step 8. Scroll down until the section named Authorization Policy to Default policy, select the gear icon, and then insert one rule above.

Step 9. Name the new Authorization Rule, add conditions concerning the user that is authenticated already as group membership, and in the Shell Profiles section add the TACACS profile that you configured previously, save the configuration.

Configure Arista Switch

Step 1. Enable TACACS+ Authentication

Log into the Arista switch and enter configuration mode:

configure

!

tacacs-server host <ISE-IP> key <TACACS-SECRET>

!

aaa group server tacacs+ ISE_TACACS

   server <ISE-IP>

!

aaa authentication login default group ISE_TACACS local

aaa authorization exec default group ISE_TACACS local

aaa accounting commands 15 default start-stop group ISE_TACACS

!

End

Step 2. Save the Configuration

To persist the configuration across reboots:

# write memory

OR

# copy running-config startup-config

Verify

ISE Review 

Step 1. Review if the TACACS+ serviceability is running, this can be checked in:

• GUI: Review if you have the node listed with the service DEVICE ADMIN in > System > Deployment.
• CLI: Run the command show ports | include 49 to confirm that there are connections in the TCP port that belong to TACACS+

Step 2. Confirm if there are livelogs concerning TACACS+ authentications attemps : this can be checked in the menu Operations > TACACS > Live logs, 

Depending upon the failure reason you can adjust your configuration or address the cause of failure. 

Step 3. In case you don’t see any livelog, proceed to take a packet capture. Navigate to the menu Operations > Troubleshoot  > Diagnostic Tools >  General Tools > TCP Dump , select Add:

Step 4. Enable the component runtime-AAA in debug within the PSN from where the authentication is being performed in Operations > Troubleshoot > Debug Wizard > Debug log configuration, select PSN node, then select the Edit button:

Identify the runtime-AAA component, set its logging level to debug, reproduce the issue, and analyse the logs for further investigation.

Troubleshooting

Problem 1

TACACS+ authentication between the Cisco ISE and the Arista switch (or any network device) fails with the error message:

"13036 Selected Shell Profile is DenyAccess"

The error "13036 Selected Shell Profile is DenyAccess" in Cisco ISE typically means that during a TACACS+ device administration attempt, the authorization policy matched a shell profile set to DenyAccess.This is not usually a result of a misconfigured shell profile itself, but rather indicates that none of the configured authorization rules matched the incoming user attributes (such as group membership, device type, or location). As a result, ISE falls back to a default rule or an explicit deny rule, resulting in the access being denied.

Possible Causes

• Review the authorization policy rules in ISE. Confirm that the user or device is matching the correct rule that assigns the intended shell profile, such as one that permits appropriate access.
• Ensure that the AD or internal user group mapping is correct and that the policy conditions, such as user group membership, device type, and protocol, are accurately specified.
• Use ISE live logs and details of the failed attempt to see exactly which rule is matched and why.

Problem 2

TACACS+ authentication between the Cisco ISE and the Arista Switch (or any network device) fails with the error message:

"13017 Received TACACS+ packet from unknown Network Device or AAA Client"

Possible Causes

• The most common reason is that the IP address of the switch is not added as a Network Device in ISE (under Administration > Network Resources > Network Devices).
• Ensure the IP address or range matches exactly the source IP being used by the Arista switch to send TACACS+ packets.
• If your switch uses a management interface, verify that its exact IP (not just a subnet/range) is added in ISE.

Solution

• Go to Administration > Network Resources > Network Devices in the ISE GUI.
• Verify if the exact source IP address on the Arista switch is using for TACACS+ communication (most often the management interface IP).
• Specify the shared secret (it must match what is set on the Arista switch).