Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee



I would like to protect access to my network devices (Wired switches, Wireless lan controllers and Firewall) and enhance authentication using MFA.

Network Policy

Employee’s can connect to my network devices and can view and edit the configurations. Contractors can connect to my network devices but can only view the configurations.

Connection Flow



1. User initiates a SSH connection to the router 

2. Router sends TACACS+ authentication request to ISE

3. ISE sends RADIUS to Duo Security's authentication proxy

4. Primary authentication uses Active Directory

5. Duo authentication proxy connection established to Duo Security over TCP port 443

6. Secondary authentication via Duo Security's service

7. Duo authentication proxy receives authentication response

8. SSH access granted per ISE Device Admin policy set


This guide assumes:

  • The reader is familiar with the Cisco Identity Services Engine (ISE) features and functions
  • The reader is familiar with the configuration of ISE AAA functions


Enable ISE Device Administration Service (TACACS)

Step 1. Navigate to Administration->System->Deployment

Step 2. Enable "Device Administration Service" on the appropriate node

Step 3.  Click Save


Configuration for RADIUS communication between ISE and DUO

Step 1. On ISE, navigate to WorkCenters->Device Administration->Ext Id Sources->RADIUS Token




Step 2. Click Add

Step 3. Starting from left to right, configure the settings within each tab menu item as follows:

a. In the General tab, configure a name for the configuration

b. In the Connection tab, configure the Primary Server details:



Step 4. Click Submit


Create an Active Directory Join Point in ISE

With DUO auth proxy as the authentication ID source, no group information is returned.  As a result, we also connect ISE to Active Directory as the authorization ID source.


Note: If you already have integrated ISE with AD, skip this section


Step 5. Under Work Centers->Device Administration, select the submenu Ext Id Sources. In the left-hand pane, select Active Directory

Step 6. Click +Add in the right-hand pane and fill in as below and click Submit. Click "Yes" when asked "Would you like to Join all ISE Nodes to this Active Directory Domain?".




Step 7. In the Join Domain pop-up windows, fill in the necessary details:Picture6.png


Step 8. Click OK to start the join operation.  A window "Join Operation Status" will pop up.  Wait until the node status changes to Completed and then click Close

Step 9. Navigate to the Groups tab and add the Employees and Contractors groupsPicture7.png


Add Network Device 

Step 10. Navigate to Work Centers->Device Administration-> Network Resources-> Network Devices

Step 11.  Click Add. Provide Name, IP Address, select TACACS Authentication Settings checkbox and provide Shared Secret key.Picture11.png



Enable Device Administration

Step 10. Navigate to Work Centers->Device Administration.  Select Deployment from the left-hand pane to jump to the page Device Administration Deployment.  Select the appropriate ISE node configuration option




Step 11. Click Save when finished


Assigning device administration privileges based on Active Directory group membership

Step 12. Navigate to Work Centers->Device Administration->Device Admin Policy Sets

Step 13. Configure the identity store for the Authentication Policy to the policy that you configured in step 3a 




Step 14. Configure the authorization results within the authorization policy to assign the command sets and shell profiles for each user group.  See below for an example:




  1. SSH to the network device
  2. Log in
  3. When prompted for password, enter in this exact sequence : “ <login password>, <pin code on Duomobile app>”
  4. Once logged in, verify that the user is able to execute the defined command sets
  5. To review logs, on ISE Navigate to Operations-> TACACS->Live logs



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links