Stealtwatch admin access via Tacacs+ protocol is quite easy in configuration. Below short instruction how you to create full access for administrators.

  • Configure Stealthwatch SMC as a tacacs+ client(NAD) in ISE


  • Configure Tacacs Profiles for StealthWatch roles (in our case full access)




  • Create policy sets for StealtWatch access


Our rules are very simple. In auth user verification in domain, in authz if authentication passed then assign SW primary Admin profile.


  • Configure TACACS+ in StealthWatch

Go to Global Settings – User Management – Authentication and Authorization TAB and create Tacacs server


Select Protocol to tacacs+ , add server IP(s) and click “Add” and next “Save”.



Enable Tacacs AAA in SW (Enable Remote Authorization).


  • Test Access to SW using user(s) authenticated via ISE, in my case AD user.

view from SW

View from ISE

and below role assigned to our tacacs+ user

  • Prefix and Suffix

StealtWatch has inbuilt 2 options to automatically add domain prefix or suffix.

The difference between thouse is the following:

– when we specify prefix,eg. “Danpol\” and user is logging into SW then system is adding¬† “Danpol\” domain automatically to username.


– when we specify prefix,eg. “@danpol.local”¬† and user is logging into SW, then system is adding Danpol domain automatically to username.


Please note, the same results we can achieve typing domain\username or username@domain in log on screen.