cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2574
Views
5
Helpful
3
Replies

TACACS+ authentication on ISE 2.3 with Base license

ozzyBLR
Level 1
Level 1

Hello everyone.

As I see from the ISE ordering guide the Device Administration license is needed to activate TACACS+ features. The question is will my ISE perform user authentication only as a TACACS+ server when running just Base license?

The set up as follows. I have a 2960 switch and ISE 2.3 (Base license) joined with the AD server. My goal is to allow AD users to access network devices. The plan is to specify the ISE address as a TACACS+ server in 2960 configuration and set some policies in the ISE to fine-tune access rules. Any chances?

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

You need the Device Administration license if you want to use ISE as a TACACS server. Device Admin also requires a minimum order of 100 Base licenses (for versions prior to 3.0).

You can authenticate users to login to network devices using RADIUS with only Base licenses.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

You need the Device Administration license if you want to use ISE as a TACACS server. Device Admin also requires a minimum order of 100 Base licenses (for versions prior to 3.0).

You can authenticate users to login to network devices using RADIUS with only Base licenses.

As @Marvin Rhoads mentioned, you need Device Administration license to run TACACS on ISE. Device Administration license runs on top of the base license. You can use ISE to allow admin accesses to the network devices through RADIUS, please take a look at my blog post here:

https://bluenetsec.com/priv-level-15-with-cisco-ise/