This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Can RADIUS be used for Device Administration on ISE? Or is TACACS+ the only way to do AAA on ISE?
I have a system with Cisco and Alcatel devices, and Alcatel devices seem to prefer RADIUS for AAA.
Solved! Go to Solution.
I've been able to get authentication working through RADIUS on ISE 2.1, but it seems to be handled through the network access side, and not the device administration side. On Alcatel devices, the authorization is normally handled through RADIUS, which is why I was hoping to get it working on that side.
I was able to get AUTHORIZATION working through TACACS+ to the Alcatel/Nokia devices. I'll will be waiting for the ISE 2.2 beta to see if any of this is addressed in the new features.
Be sure to communicate with Cisco account team so they can work with product management on any specific gaps. You have not clarified what specifically you are looking to be addressed in newer release. The lack of command authorization and command accounting is not a limitation of ISE RADIUS implementation, but a limitation of standard RADIUS protocol.
ISE certainly supports standard RADIUS authentication and authorization. Some NADs may support specific attributes to control device admin privileges. If not already loaded, these can be imported into ISE and returned as part of the RADIUS authorization to the device itself. We separated TACACS+ under its own section and titled it "Device Admin" since that is primary use case for TACACS+. However, it is true that some use RADIUS for Device Admin function, but that would be configured under original policy for RADIUS auth. Many customers choose to create a Policy Set specific to RADIUS Device Admin which matches on NDG, RADIUS service type, or other discriminating attribute which is specific to device admin.