Cisco ISE 2.4: Device Administration

For Device Administration on ISE perform following tasks:

  • Enable TACACS.
  • Adding Network Devices
  • Adding users
  • Command Set & TACACS Profiles
  • Device administration Policies

Enable TACACS+:

Navigate to Administration > System > Deployment >

Under General Setting, check the box ‘Enable Device Admin Service’. Click Save


Adding Network Devices:

Create device groups. We can group devices based on type or location.

Device Administration > Network Resources > Network Device Groups


After creating groups, add devices

Device Administration > Network Resources > Network Devices. Click Add

Provide Name & IP address of Network device to be added. Select device group. Configure Radius/TACACS+.



Network Access Internal Users:

Create internal users. In our case, only network admin users are internal.

Administration > Identity Management > Identities > Users.

Same thing can be done under Work Centers > Network Access or Work Centers > Guest Access. As shown below


Create Command sets:

Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets. Click Add 


For example, we have created ‘CMD-SET ALL ALLOWED’, which allows all commands. Check the box under Commands ‘Permit any command that is not listed below’ and don’t add any command


Another command set is created that allows only show commands. * is used for wild card.


Create TACACS profiles:

Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles


TACACS profiles are shell profiles. I always prefer to configure Maximum Privilege as 15 because we have already configured command sets for access restrictions


Now, we will create device administration policies.

Device Administration Policy:

Here we will call all the items configured earlier. Navigate to:

Work Centers > Device Administration > Device Admin Policy Sets and add new policy or use default. Click small arrow button on right side of policy to expand.


Create Authentication Policy and use internal users (we can use external as well)


Then, configure authorization Policies under ‘Authorization Policy’.

Device Admin.png

Device Admin2.png