Solved: TACACS+ authentication on ISE 2.3 with Base license

ozzyBLR · ‎10-27-2020

Hello everyone.

As I see from the ISE ordering guide the Device Administration license is needed to activate TACACS+ features. The question is will my ISE perform user authentication only as a TACACS+ server when running just Base license?

The set up as follows. I have a 2960 switch and ISE 2.3 (Base license) joined with the AD server. My goal is to allow AD users to access network devices. The plan is to specify the ISE address as a TACACS+ server in 2960 configuration and set some policies in the ISE to fine-tune access rules. Any chances?

Marvin Rhoads · ‎10-28-2020

You need the Device Administration license if you want to use ISE as a TACACS server. Device Admin also requires a minimum order of 100 Base licenses (for versions prior to 3.0).

You can authenticate users to login to network devices using RADIUS with only Base licenses.

View solution in original post

balaji.bandi · ‎10-27-2020

Look at base licese covers :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0110.html

here is ISE License guide :

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎10-28-2020

You need the Device Administration license if you want to use ISE as a TACACS server. Device Admin also requires a minimum order of 100 Base licenses (for versions prior to 3.0).

You can authenticate users to login to network devices using RADIUS with only Base licenses.

Aref Alsouqi · ‎10-28-2020

As @Marvin Rhoads mentioned, you need Device Administration license to run TACACS on ISE. Device Administration license runs on top of the base license. You can use ISE to allow admin accesses to the network devices through RADIUS, please take a look at my blog post here:

https://bluenetsec.com/priv-level-15-with-cisco-ise/