SNA (Stealthwatch) – Device Administration via ISE and Tacacs+

 

  • go to Work Centers –> Device Adminsitration –> Policy Elements

  • Click “Add” new profile, select “Common Task Type” to “Shell” and in “Custom Attributes section” add necessary attributes

for “Primary Admin

  • Create Tacacs policy, in that case go to Work Centers –> Device Administration –> Device Admin Policy Sets

 

  • create authorization rule with conditions, in that case easy condition tacacs user named sna_admin
  • for shell profile select SNA_Admins tacacs profile

  • Add SNA Manager to ISE as a Network device

  • Enable Tacacs+ Authorization in SNA

  • Enable Remote Authorization

  • Test AAA

  • check ISE logs

Non-admin roles

  • Create specific role on Stealthwatch(SNA) and define tacacs profile on ISE, what is important for non-admin for shell profile you have to include the following:

– 1 Data role (only): make sure you select only one data role
– at least 1 or more Web role
– at least 1 or more Desktop Client role

  • Add new authorization rule on ISE and test SNA access

  • test analyst role assigned using ISE