Solved: Re: possible to login via web ISE NAC with using Tacacs server ISE

cakra.chucky1 · ‎11-14-2025

Hello expert

i just want to know, it is possible to login ISE identity service engine using login terminal Access Controller Access-Control System identity service engine ?

our customer has audit and ordered to using all device with terminal Access Controller Access-Control System, there is question from them, why the device identity service engine network access control not using terminal Access Controller Access-Control System while login via web, existing identity service engine using login with user internal for access via web, for information our customer has 2 license for network access control and terminal Access Controller Access-Control System separated to be 2 appliance, 1 appliance for identity service engine (dot1x) and 1 appliance for terminal Access Controller Access-Control System user device only, please any suggestion or source document for regarding this topic.

thank you

ruby55leonard · ‎11-14-2025

Hello,
While Cisco Identity Services Engine (ISE) is the standard platform for providing TACACS+ services for Network Device Administration (managing switches, routers, firewalls, etc.), ISE's own administrative web interface (GUI) does not natively support authenticating administrators using TACACS+ as an external identity source. For its own admin login, ISE typically uses its internal user database or integrates with external sources like Active Directory (AD), LDAP, RSA SecureID, or SAML. Therefore, your customer's current setup of using internal users for the ISE web login is expected, and the TACACS+ license/appliance is intended for administering other network devices, not for the ISE GUI itself. To meet the audit requirement for centralized identity management, you should focus on integrating ISE's admin login with an approved external identity source like Active Directory or LDAP, which your customer's TACACS+ setup may already be leveraging for other device admins.

EZPassKY

View solution in original post

Marcelo Morais · ‎11-15-2025

Hi @cakra.chucky1 ,

there is a difference between ISE Administrator and Device Administration ...

For ISE Administrator, please take a look at: ISE Administrator Guide, Release 3.5 - Asset Visibility:

" ... In Cisco ISE, you can authenticate Administrators via an External Identity Store such as AD, LDAP, or RSA SecureID ... "

" ... You can configure this method of providing external Administrator authentication only via the Admin portal. Cisco ISE CLI does not feature these functions ... "

" ... By default, Cisco ISE provides internal Administrator authentication ... "

For Device Administration, please take a look at: ISE Administrator Guide, Release 3.5 - Device Administration:

" ... Cisco ISE supports Device Administration using the TACACS+ security protocol to control and audit the configuration of Network Devices ... "

" ... The Device Administrator is the user who logs into the Network Devices such as Switches, Wireless Access Points, Routers, and Gateways, (normally through SSH), to perform the configuration and maintenance of the administered Devices ... "

" ... Cisco ISE requires a Device Administration license to use TACACS+ ... "

Note: please take a look at: ISE - What we need to know about TACACS+.

Hope this helps !

View solution in original post

ruby55leonard · ‎11-14-2025

Hello,
While Cisco Identity Services Engine (ISE) is the standard platform for providing TACACS+ services for Network Device Administration (managing switches, routers, firewalls, etc.), ISE's own administrative web interface (GUI) does not natively support authenticating administrators using TACACS+ as an external identity source. For its own admin login, ISE typically uses its internal user database or integrates with external sources like Active Directory (AD), LDAP, RSA SecureID, or SAML. Therefore, your customer's current setup of using internal users for the ISE web login is expected, and the TACACS+ license/appliance is intended for administering other network devices, not for the ISE GUI itself. To meet the audit requirement for centralized identity management, you should focus on integrating ISE's admin login with an approved external identity source like Active Directory or LDAP, which your customer's TACACS+ setup may already be leveraging for other device admins.

EZPassKY

cakra.chucky1 · ‎11-14-2025

thank you your answer, i will inform that statement to our customer

i thought that impossible using TACACS+ for GUI NAC itself but maybe can you share any document for supporting that statement, cause the audit needs it for evidence

thank you

Marcelo Morais · ‎11-15-2025

Hi @cakra.chucky1 ,

there is a difference between ISE Administrator and Device Administration ...

For ISE Administrator, please take a look at: ISE Administrator Guide, Release 3.5 - Asset Visibility:

" ... In Cisco ISE, you can authenticate Administrators via an External Identity Store such as AD, LDAP, or RSA SecureID ... "

" ... You can configure this method of providing external Administrator authentication only via the Admin portal. Cisco ISE CLI does not feature these functions ... "

" ... By default, Cisco ISE provides internal Administrator authentication ... "

For Device Administration, please take a look at: ISE Administrator Guide, Release 3.5 - Device Administration:

" ... Cisco ISE supports Device Administration using the TACACS+ security protocol to control and audit the configuration of Network Devices ... "

" ... The Device Administrator is the user who logs into the Network Devices such as Switches, Wireless Access Points, Routers, and Gateways, (normally through SSH), to perform the configuration and maintenance of the administered Devices ... "

" ... Cisco ISE requires a Device Administration license to use TACACS+ ... "

Note: please take a look at: ISE - What we need to know about TACACS+.

Hope this helps !