TACACS+ Device Administration
Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices. The network devices are configured to query Cisco ISE for authentication and authorization of device administrator actions, and send accounting messages for Cisco ISE to log the actions. It facilitates granular control of who can access which network device and change the associated network settings. A Cisco ISE administrator can create policy sets that allow TACACS results, such as command sets and shell profiles, to be selected in authorization policy rules in a device administration access service. The Cisco ISE Monitoring node provides enhanced reports that are related to device administration. The Work Center menu contains all the device administration pages, which act as a single start point for ISE administrators.
Cisco ISE requires a Device Administration license to use TACACS+.
There are two types of administrators for device administration:
-
Device Administrator
-
Cisco ISE Administrator
The device administrator is the user who logs into the network devices such as switches, wireless access points, routers, and gateways, (normally through SSH), to perform the configuration and maintenance of the administered devices. The Cisco ISE administrator logs into Cisco ISE to configure and coordinate the devices that a device administrator logs in to.
The Cisco ISE administrator is the intended reader of this document, who logs into Cisco ISE to configure the settings that control the operations of the device administrator. The Cisco ISE administrator uses the device administration features (In the Cisco ISE GUI, click the Menu icon () and chooseWork centers > Device Administration) to control and audit the configuration of the network devices. A device can be configured to query the Cisco ISE server using the TACACS security protocol. The Cisco ISE Monitoring node provides enhanced reports that are related to device administration. A Cisco ISE administrator can perform the following tasks:
-
Configure network devices with the TACACS+ details (shared secret).
-
Add device administrators as internal users and set their enable passwords as needed.
-
Create policy sets that allow TACACS results, such as command sets and shell profiles, to be selected in authorization policy rules in a device administration access service.
-
Configure the TACACS server in Cisco ISE to allow device administrators to access devices based on the policy sets.
The device administrator performs the task of setting up a device to communicate with the Cisco ISE server. When a device administrator logs on to a device, the device queries the Cisco ISE server, which in turn queries an internal or external identity store, to validate the details of the device administrator. When the validation is done by the Cisco ISE server, the device informs the Cisco ISE server of the final outcome of each session or command authorization operation for accounting and auditing purposes.
A Cisco ISE administrator can manage device administration using TACACS Plus (TACACS+).
Note |
You should check the Enable Device Admin Service check box in the Administration > System > Deployment > General Settings page to enable TACACS+ operations. Ensure that this option is enabled in each PSN in a deployment. Due to a known limitation of TACACS+ protocol to create a secure connection between switch or router and Cisco ISE, ensure that IP Security protocol is deployed between the two parties. |
For information about device administration attributes, see ISE Device Administration Attributes. For information about TACACS+ configuration for wireless LAN controllers, Cisco IOS network devices, Cisco NX-OS network devices, and network devices, see ISE Device Administration (TACACS+). |