https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4460943#M569568 <P>I have no experience with FortiGate, however, for Palo Alto you can define the Admin Roles as you with, and then you just reference their names on ISE TACACS Profiles custom attributes. For example, if you created two Admin Roles, one you called it RW-Admins, and another RO-Admins, then from ISE TACACS Profiles custom attributes, you can reference those two by creating two TACACS profiles, one for the RW and another for the RO. In both profiles you will use the MANDATORY Type, the VSA, in this case will be PaloAlto-Admin-Role and/or PaloAlto-Panorama-Admin-Role, and the value. The value is the Admin Roles Profiles you created, in this case would be RW-Admins and RO-Admins.</P> <P>To restrict the CLI accesses, you will have a tab called Command Line in the Admin Role Profile. When you go there you can select one of the supported options:</P> <P>None: No CLI access at all, this is the default I think.</P> <P>superuser: Full access.</P> <P>superreader: Read only access.</P> <P>deviceadmin: Full access to all firewall settings with the exception for creating new accounts or vsys which are only allowed by a super users.</P> <P>devicereader: Read only access to all the firewall settings except for the password profiles and the other admin accounts.</P> <P>For Panorama it is very similar to the firewalls, however, Panorama wouldn't have the deviceadmin and the devicereader roles as those are more related to the firewalls. Panorama has also a role called panorama-admin which is very similar to the superuser role with the exception for creating, editing or deleting the Panorama admins and some restrictions when it comes to push and export configs.</P> <P>You should also set the Admin Role Profile to read only for the UI, you can do that from the main tab which is called Web UI. Some of the menus won't support read only, in that case you can just suppress them if you want.</P> Tue, 07 Sep 2021 10:11:13 GMT Aref Alsouqi 2021-09-07T10:11:13Z https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4458735#M569412 <P>Hi Guys,</P><P>I was able to integrate my FortiGate and Palo Alto firewalls to my ISE TACACS and it is working with the GUI. I would like to ask, if it possible also to restrict CLI commands using the command sets for the FortiGate and PA firewalls?</P><P>Thank you.</P> Thu, 02 Sep 2021 10:28:30 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4458735#M569412 fatalXerror 2021-09-02T10:28:30Z https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4458772#M569414 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/303946">@fatalXerror</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;worth the shot to check the following link:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener">How to configure TACACS authentication against Cisco ISE</A>.</P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Thu, 02 Sep 2021 11:51:52 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4458772#M569414 Marcelo Morais 2021-09-02T11:51:52Z https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4458852#M569415 <P>It's going to depend on the other device. Either command accounting, or limiting the user via av-pair or the like back to the device. We limit F5 that way, but it's done on the F5, not bi ISE other than the user level sent back.</P> Thu, 02 Sep 2021 14:06:22 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4458852#M569415 Dustin Anderson 2021-09-02T14:06:22Z https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4460943#M569568 <P>I have no experience with FortiGate, however, for Palo Alto you can define the Admin Roles as you with, and then you just reference their names on ISE TACACS Profiles custom attributes. For example, if you created two Admin Roles, one you called it RW-Admins, and another RO-Admins, then from ISE TACACS Profiles custom attributes, you can reference those two by creating two TACACS profiles, one for the RW and another for the RO. In both profiles you will use the MANDATORY Type, the VSA, in this case will be PaloAlto-Admin-Role and/or PaloAlto-Panorama-Admin-Role, and the value. The value is the Admin Roles Profiles you created, in this case would be RW-Admins and RO-Admins.</P> <P>To restrict the CLI accesses, you will have a tab called Command Line in the Admin Role Profile. When you go there you can select one of the supported options:</P> <P>None: No CLI access at all, this is the default I think.</P> <P>superuser: Full access.</P> <P>superreader: Read only access.</P> <P>deviceadmin: Full access to all firewall settings with the exception for creating new accounts or vsys which are only allowed by a super users.</P> <P>devicereader: Read only access to all the firewall settings except for the password profiles and the other admin accounts.</P> <P>For Panorama it is very similar to the firewalls, however, Panorama wouldn't have the deviceadmin and the devicereader roles as those are more related to the firewalls. Panorama has also a role called panorama-admin which is very similar to the superuser role with the exception for creating, editing or deleting the Panorama admins and some restrictions when it comes to push and export configs.</P> <P>You should also set the Admin Role Profile to read only for the UI, you can do that from the main tab which is called Web UI. Some of the menus won't support read only, in that case you can just suppress them if you want.</P> Tue, 07 Sep 2021 10:11:13 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-for-non-cisco-devices/m-p/4460943#M569568 Aref Alsouqi 2021-09-07T10:11:13Z