For Device Administration on ISE perform following tasks:
- Enable TACACS.
- Adding Network Devices
- Adding users
- Command Set & TACACS Profiles
- Device administration Policies
Navigate to Administration > System > Deployment >
Under General Setting, check the box ‘Enable Device Admin Service’. Click Save
Adding Network Devices:
Create device groups. We can group devices based on type or location.
Device Administration > Network Resources > Network Device Groups
After creating groups, add devices
Device Administration > Network Resources > Network Devices. Click Add
Provide Name & IP address of Network device to be added. Select device group. Configure Radius/TACACS+.
Network Access Internal Users:
Create internal users. In our case, only network admin users are internal.
Administration > Identity Management > Identities > Users.
Same thing can be done under Work Centers > Network Access or Work Centers > Guest Access. As shown below
Create Command sets:
Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets. Click Add
For example, we have created ‘CMD-SET ALL ALLOWED’, which allows all commands. Check the box under Commands ‘Permit any command that is not listed below’ and don’t add any command
Another command set is created that allows only show commands. * is used for wild card.
Create TACACS profiles:
Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles
TACACS profiles are shell profiles. I always prefer to configure Maximum Privilege as 15 because we have already configured command sets for access restrictions
Now, we will create device administration policies.
Device Administration Policy:
Here we will call all the items configured earlier. Navigate to:
Work Centers > Device Administration > Device Admin Policy Sets and add new policy or use default. Click small arrow button on right side of policy to expand.
Create Authentication Policy and use internal users (we can use external as well)
Then, configure authorization Policies under ‘Authorization Policy’.