Solved: ISE 3.1 Difference between Policy sets and Device Admin Policy sets

isp3799 · ‎09-22-2022

hello.

I am configuring TACACS+ and RADIUS authentication service on ISE 3.1.
First of all, the RADIUS authentication policy is configured in Policy Sets.
However, looking at other sources, it appears that the TACACS+ authentication policy is configured in Device Admin Policy Sets.

I was wondering what is the difference between Device Admin Policy Sets and Policy Sets.

Rob Ingram · ‎09-22-2022

@isp3799 the Policy Sets are for RADIUS authenticated sessions such as 802.1x / MAB wired and wireless connections or Remote Access VPN connections.

Where as Device Admin Policies Sets are for TACACS+ authenticated sessions, for device management of switch, routers etc.

View solution in original post

ahollifield · ‎09-22-2022

Policy Sets are for RADIUS traffic. UDP/1812

Device Admin Policy sets are for TACACS+. TCP/49

View solution in original post

Rob Ingram · ‎09-22-2022

@isp3799 the Policy Sets are for RADIUS authenticated sessions such as 802.1x / MAB wired and wireless connections or Remote Access VPN connections.

Where as Device Admin Policies Sets are for TACACS+ authenticated sessions, for device management of switch, routers etc.

ahollifield · ‎09-22-2022

Policy Sets are for RADIUS traffic. UDP/1812

Device Admin Policy sets are for TACACS+. TCP/49

romeog · ‎04-27-2023

So basically, it should be "RADIUS Policy Sets" and "TACACS Policy Sets", because in reality, RADIUS is very often used for Device Admin Access. This has caused a LOT of wasted man hours. Just saying....

ahollifield · ‎04-27-2023

Yeah sure, TACACS+ is device admin only. RADIUS can be client authc/authz and device admin for devices that don’t support TACACS+.