Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1394
Views
5
Helpful
3
Replies

Usings TACACS to authenticate ISE system administrators

Go to solution
Scott Gillies
Level 1
Level 1

‎04-01-2020 04:55 AM

Hi

I am getting a bit confused with the term "ISE Device Administration via TACACS" and what it actually means.

 

Is it possible to use TACACS to authenticate ISE system administrators?

 

I.E. If more that one person has the authority to perform ISE system administration tasks is it possible to have them use their network TACACS account to log onto the ISE, to perform admin tasks, rather than use a local admin account?

 

I am amazed I actually have to ask this but I cannot find a straight forward answer.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎04-01-2020 08:18 AM

Hi,

 

   That refers to using ISE as TACACS server, for your network devices administration (when you connect to your network devices via SSH let's say, the NAD authenticates you, authorises you and accounts for you agains the TACACS service running on ISE) . It does not refer to ISE admin users being authenticated via an ISE integration with another TACACS server.

 

Regards,

Cristian Matei.

View solution in original post

3 Replies 3

Go to solution
omz
VIP Alumni
VIP Alumni

‎04-01-2020 05:05 AM - edited ‎04-01-2020 05:06 AM

Hi

 

ISE requires a Device Administration license to use TACACS+.

There are two types of administrators for device administration:

  • Device Administrator

  • ISE Administrator

The device administrator is the user who logs into the network devices such as switches, wireless access points, routers, and gateways, (normally through SSH), in order to perform the configuration and maintenance of the administered devices. The ISE administrator logs into ISE to configure and coordinate the devices that a device administrator logs in to.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0100010.html

"ISE Device Administration via TACACS" is for device administration.

 

Is it possible to use TACACS to authenticate ISE system administrators? 

Yes, depending on the version of ISE - Administration > Identity Management > External Identity Sources > Active Directory.

 

hope this helps

 

0 Helpful

Go to solution
Scott Gillies
Level 1
Level 1
In response to omz

‎04-01-2020 09:02 AM

Hi thanks

So just to confirm (for my sanity),

it is NOT possible to authenticate ISE admin users using seperate individual user accounts hosted on an external TACACS server?

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎04-01-2020 08:18 AM

Hi,

 

   That refers to using ISE as TACACS server, for your network devices administration (when you connect to your network devices via SSH let's say, the NAD authenticates you, authorises you and accounts for you agains the TACACS service running on ISE) . It does not refer to ISE admin users being authenticated via an ISE integration with another TACACS server.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card