https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4618982#M575006 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1171789">@SMD28316</a>&nbsp; - RADIUS is a valid option for Device Admin in my opinion, if you don't need all that fancy command auth and command accounting that TACACS+ offers. It works great.</P> <P>Use the following RADIUS Authentication logic (notice the RADIUS Attributes used in each case)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE RADIUS DEVICE ADMIN.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/152139iB42ED39FE0D7C71F/image-size/large?v=v2&amp;px=999" role="button" title="ISE RADIUS DEVICE ADMIN.PNG" alt="ISE RADIUS DEVICE ADMIN.PNG" /></span></P> <P>&nbsp;</P> <P>As for the results, you return the usual priv level 15 (or whatever you need) in the Cisco AV Pair - might have to google that - I don't have a copy of what I used back in the day</P> <P>&nbsp;</P> Fri, 27 May 2022 05:41:16 GMT Arne Bier 2022-05-27T05:41:16Z https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4618554#M574982 <P>So on the ISE CLI I found the option to enable TACACS+:</P><P>ise/admin(config)# aaa authentication tacacs+ server ?<BR />&lt;WORD&gt; Server ip or hostname (Max Size - 31)</P><P>ise/admin(config)# aaa authentication tacacs+ server</P><P>&nbsp;</P><P>Can I use TACACS+ for CLI login? I didn't find a useful document for this commnad, also can I use RADIUS instead? if not I would like to know if there are plans to enable it in the future,</P> Thu, 26 May 2022 12:21:41 GMT https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4618554#M574982 SMD28316 2022-05-26T12:21:41Z https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4618719#M574987 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1171789">@SMD28316</a>&nbsp; since ISE 2.6 version,&nbsp; the CLI Access to ISE by External Identity Store is added.</P> <P class="p">ISE supports authentication of CLI administrators by external identity sources, such as Active Directory.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#id_97053" target="_self">https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#id_97053</A>&nbsp;</P> <P>&nbsp;</P> <P>It is better to use TACACS to control CLI access rather than RADIUS. This is because simply RADIUS does not separate authentication and authorization while TACACS does, in other words RADIUS cannot manage per command CLI authorization.</P> Thu, 26 May 2022 16:21:22 GMT https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4618719#M574987 Meddane 2022-05-26T16:21:22Z https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4618982#M575006 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1171789">@SMD28316</a>&nbsp; - RADIUS is a valid option for Device Admin in my opinion, if you don't need all that fancy command auth and command accounting that TACACS+ offers. It works great.</P> <P>Use the following RADIUS Authentication logic (notice the RADIUS Attributes used in each case)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE RADIUS DEVICE ADMIN.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/152139iB42ED39FE0D7C71F/image-size/large?v=v2&amp;px=999" role="button" title="ISE RADIUS DEVICE ADMIN.PNG" alt="ISE RADIUS DEVICE ADMIN.PNG" /></span></P> <P>&nbsp;</P> <P>As for the results, you return the usual priv level 15 (or whatever you need) in the Cisco AV Pair - might have to google that - I don't have a copy of what I used back in the day</P> <P>&nbsp;</P> Fri, 27 May 2022 05:41:16 GMT https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4618982#M575006 Arne Bier 2022-05-27T05:41:16Z https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4619082#M575013 <P>Thank you,</P><P>&nbsp;</P><P>yes I understand this, but can I use RADIUS for ISE CLI authentication? it doesn't seem available for now.</P> Fri, 27 May 2022 07:23:16 GMT https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4619082#M575013 SMD28316 2022-05-27T07:23:16Z https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4619234#M575024 <P>That is correct.&nbsp; Local CLI admin user or Active Directory only.</P> Fri, 27 May 2022 12:25:32 GMT https://community.cisco.com/t5/network-access-control/using-tacacs-raidus-for-ise-cli-login/m-p/4619234#M575024 ahollifield 2022-05-27T12:25:32Z