SNA (Stealthwatch) – Device Administration via ISE and Tacacs+
- go to Work Centers –> Device Adminsitration –> Policy Elements
- Click “Add” new profile, select “Common Task Type” to “Shell” and in “Custom Attributes section” add necessary attributes
for “Primary Admin”
- Create Tacacs policy, in that case go to Work Centers –> Device Administration –> Device Admin Policy Sets
- create authorization rule with conditions, in that case easy condition tacacs user named sna_admin
- for shell profile select SNA_Admins tacacs profile
- Add SNA Manager to ISE as a Network device
- Enable Tacacs+ Authorization in SNA
- Enable Remote Authorization
- Test AAA
- check ISE logs
Non-admin roles
- Create specific role on Stealthwatch(SNA) and define tacacs profile on ISE, what is important for non-admin for shell profile you have to include the following:
– 1 Data role (only): make sure you select only one data role
– at least 1 or more Web role
– at least 1 or more Desktop Client role
- Add new authorization rule on ISE and test SNA access
- test analyst role assigned using ISE