Summary: ISE Device Administration persona acts as a TACACS+ server for network device admin access, enabling policy-based authentication, per-command authorisation, and command-level accounting.
ISE supports two access control use cases:
Enable the Device Admin persona in ISE: Administration → System → Deployment → Edit node → Enable Device Admin Service.
Every device that authenticates against ISE must be registered as a Network Device.
The shared secret must match the key configured on the IOS-XE device.
Policy sets define authentication and authorisation rules for device admin access. Navigate to Work Centers → Device Administration → Policy Sets.
Within a policy set, the authentication policy specifies which identity store to check:
Condition: Device Type = Cisco IOS
Authentication: Active Directory (primary), Internal Users (fallback)
Authorisation policies map user/group conditions to Shell Profiles and Command Sets:
Condition: AD Group = Network-Admins
Shell Profile: Full-Access-Shell
Command Set: Permit-All-Commands
Condition: AD Group = NOC-Read-Only
Shell Profile: ReadOnly-Shell
Command Set: Show-Commands-Only
Shell profiles define the EXEC session privileges assigned after login.
Create under Work Centers → Device Administration → Policy Elements → Results → Shell Profiles:
| Setting | Description |
|---|---|
| Default Privilege | Privilege level at login (0–15) |
| Maximum Privilege | Maximum privilege user can elevate to |
| Session Idle Timeout | Auto-logout after inactivity |
Example — full admin shell:
Name: Full-Access-Shell
Default Privilege: 15
Maximum Privilege: 15
Example — read-only shell:
Name: ReadOnly-Shell
Default Privilege: 1
Maximum Privilege: 1
Command sets specify which IOS-XE commands are permitted or denied.
Create under Work Centers → Device Administration → Policy Elements → Results → Command Sets:
.* as wildcard to match any argumentExample — read-only:
Name: Show-Commands-Only
Permit: show .*
Deny: configure .*
Deny: reload .*
Deny: no .*
If no match: Deny
Example — full access:
Name: Permit-All-Commands
Permit: .*
If no match: Permit
tacacs server ISE-PRIMARY
address ipv4 10.10.10.100
key S3cur3T4c4cs!
timeout 5
aaa group server tacacs+ ISE_SERVERS
server name ISE-PRIMARY
aaa new-model
aaa authentication login default group ISE_SERVERS local
aaa authorization exec default group ISE_SERVERS local
aaa authorization commands 15 default group ISE_SERVERS local if-authenticated
aaa accounting exec default start-stop group ISE_SERVERS
aaa accounting commands 15 default start-stop group ISE_SERVERS
line vty 0 15
login authentication default
authorization exec default
authorization commands 15 default
transport input ssh
From IOS-XE:
test aaa group ISE_SERVERS admin MyPassword legacy
Expected:
Attempting authentication test to server-group ISE_SERVERS using tacacs+
User was successfully authenticated.
show tacacs
show aaa servers
show aaa sessions
Monitor live TACACS+ authentication in ISE: Operations → TACACS → Live Logs
Server unreachable:
ping 10.10.10.100 source <mgmt-interface>
show tacacs
Verify UDP/TCP 49 is permitted from device management IP to ISE.
Authentication rejected:
Authorisation denied: