Configure Time-Based TACACS+ Access for Network Devices with ISE

Introduction

This document describes how to configure the Time and Date based authorization for Device Admin policy in Cisco Identity Services Engine (ISE).

Prerequisites

Requirements

Cisco recommends that you have knowledge of the Tacacs Protocol and Identity Services Engine (ISE) configuration.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco Catalyst 9300 switch with softwareCisco IOS® XE 17.12.5 and later
• Cisco ISE, Release 3.3 and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Authorization policies are a key component of Cisco Identity Services Engine (ISE), enabling you to define rules and configure authorization profiles for specific users or groups accessing network resources. These policies evaluate conditions to determine which profile to apply. When the conditions of a rule are met, the corresponding authorization profile is returned, granting appropriate network access.

Cisco ISE also supports Time and Date Conditions, which allow policies to be enforced only during specified times or days. This is particularly useful for applying access controls based on time-based business requirements.

This document outlines the configuration to allow TACACS+ administrative access to network devices only during business hours (Monday to Friday, 08:00–17:00) and to deny access outside of this time window.

Configure

Network Diagram

Configure ISE

Step 1: Create Time and Date Condition

Navigate to Policy > Policy Elements > Conditions > Time and Date, click Add.

Condition Name: Business Hours

Set the Time Range Standard Settings > Specific Hours : 09:00 AM - 06:00 PM 

Specific Days: Monday to Friday

Step 2: Create a TACACS+ Command Set

Navigate to Work Centers > Device Administration > Policy Elements > Results > Tacacs Command Sets.

Create a command set by choosing the Permit any command that is not listed below checkbox and click Submit or add the Limited Commands if you want to restrict certain CLI commands.

Step 3: Create a TACACS+ Profile

Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles. Click Add.

Select Command Task Type as Shell, then Default Privilege checkbox and enter the value of 15. Click Submit.

Step 4:  Create TACACS Authorization Policy

Navigate to Work Centers > Device Administration > Device Admin Policy Sets.

Select your active Policy Set.

Configure the Authentication Policy based on the Internal or Active Directory users.

Under the Authorization Policy section, click Add Rule to provide the Rule Name and then Click + for adding authorization conditions.

A new Condition Studio window appears, in Search by Name field enter the name created in step 1 and drag it to the Editor.

Add additional conditions based on User Group and click Save.

In Results, select the Tacacs Command Set and Shell Profile created in step 2 and step 3 then click Save.

Configure Switch

Verify

User attempting to SSH into the Switch Outside of Business Hours and got Access denied from ISE.

The ISE Live Logs indicate that authorization failed because the Time and Date condition in the authorization policy did not match, resulting in the session hitting the Default Deny Access rule.

User attempting to SSH into switch during Business Hours and get Read Write Access:

The ISE Live Log indicates that login during Business Hours matched the Time and Date condition and hits correct Policy.

Troubleshoot

Debugs on ISE

Collect the ISE support bundle with these attribute to be set at the debug level:

• RuleEngine-Policy-IDGroups
• RuleEngine-Attributes
• Policy-Engine
• epm-pdp
• epm-pip

When the User Attempting to SSH into the Switch Outside of Business Hours due to Time and Date Condition not matched with configured business hours.

show logging application ise-psc.log

When the User Attempting to SSH into the Switch during the Business Hours matched the Time and Date Condition.

show logging application ise-psc.log

Related Information

• Cisco ISE Device Administration Prescriptive Deployment Guide

Frequently Asked Questions

• Can I apply different access levels based on time?
  Yes. You can create different authorization policies and link them to time conditions.

For example:
Full access during business hours
Read-only access after hours
No access on weekends

• What happens if the system time is incorrect or unsynchronized?
  ISE can apply incorrect policies or fail to enforce time-based rules reliably. Ensure all devices and ISE nodes use a synchronized NTP source.

• Can time-based policies be used in conjunction with other conditions (for example, user role, device type)?
  Yes. Time conditions can be combined with other attributes in your policy rules to create granular and secure access controls.

• Is Time-Based Access supported for both shell and command sets in TACACS+?
  Yes. Time-based conditions can control access to the device shell or specific command sets, depending on how the authorization policy and profiles are structured.