- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2022 07:35 AM
Is it possible to specify an authorization policy for TACACS users that are authenticating via Console or SSH methods?
Solved! Go to Solution.
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2022 02:36 PM
@SMD28316 - you should also consider how you configure the switch's "line console" and "line vty" and apply the appropriate Method Lists (Authentication List and Authorization List). This tells the switch exactly how to engage AAA for login, exec authZ and command authZ. For example, you could tell the switch to only perform authentication via TACACS on the console, but not exec or command authZ.
ISE should not care whether the request came from a vty (ssh) or a pty (console) - but you can of course filter that out in ISE during Authentication/Authorization if needed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2022 09:14 AM
Yes, of course. That's one of the core features of the TACACS server feature in ISE.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2022 02:36 PM
@SMD28316 - you should also consider how you configure the switch's "line console" and "line vty" and apply the appropriate Method Lists (Authentication List and Authorization List). This tells the switch exactly how to engage AAA for login, exec authZ and command authZ. For example, you could tell the switch to only perform authentication via TACACS on the console, but not exec or command authZ.
ISE should not care whether the request came from a vty (ssh) or a pty (console) - but you can of course filter that out in ISE during Authentication/Authorization if needed.
