Cisco ISE Device Administration using TACACS+

In this article, I will cover network device administration using TACACS+ on Cisco’s Identity Services Engine. Accompanied with a video demonstration, I will also list the TACACS+ configuration required for Cisco’s ASAv.


Configure the Network Device/s

In the video demonstration, I have used the ASAv as the network device I would like ISE to administer. Follow the steps below to configure the ASAv.

aaa-server TACACS+ protocol tacacs+ (configures TACACS+ to be used with aaa)
aaa-server TACACS+ (DMZ) host 10.1.1.10 (tells the ASAv which interface ISE can be reached)
key Cisco123 (enter your TACACS+ key)
aaa authentication enable console TACACS+ LOCAL (authenticates enable prompt via TACACS+ with LOCAL authentication as fallback)
aaa authentication ssh console TACACS+ LOCAL (authenticates ssh via TACACS+ with LOCAL authentication as a fallback)
aaa authentication telnet console TACACS+ LOCAL (authenticates telnet via TACACS+ with LOCAL authentication as a fallback)
aaa authentication serial console TACACS+ LOCAL (authenticates serial via TACACS+ with LOCAL authentication as a fallback)
ciscoasa(config)# show run | include aaa (verify configuration)

Configure Cisco ISE

Navigate to: Administration >>> System >>> Deployment
As per the screenshot below, edit your node and check the box ‘Enable Device Admin Service’.

NOTE: As mentioned in the video demonstration, this is a licensed feature.


Navigate to: Administration >>> Network Resources >>> Network Devices

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS profiles 

Navigate to: Work Centers >>> Device Administration >>> Policy Elements >>> (Left-hand pane) Results >>> TACACS Command Sets 

Navigate to: Work Centers >>> Device Administration >>> Device Admin Policy Sets

Verify Functionality

Navigate to: Operations >>> TACACS >>> Live Logs

Additionally, if you would like to enable command authorization, you can use the following configuration below.


Note: If command authorization is implemented wrong, you could end up locking yourself out of your devices.

Enabling Authorization


aaa authorization command TACACS+ LOCAL (allows command authorization to be configured for all administrators on all consoles)


aaa authorization exec authentication-server (uses the authenticating servers)


Video Demonstration


#TACACSwithISE #CiscoISE23 #ISEprofileShells #ProfileShells #CiscoISEprofileShells #CiscoISEwithASAv #IdentityServicesEngine23 #CiscoISE23TACACS #CiscoISEDeviceAdministration #CiscoISETACACS #ISE23

©2020 by Network Wizkid