Cisco ISE 2.4: Device Administration


For Device Administration on ISE perform following tasks:

  • Enable TACACS.
  • Adding Network Devices
  • Adding users
  • Command Set & TACACS Profiles
  • Device administration Policies

Enable TACACS+:

Navigate to Administration > System > Deployment >

Under General Setting, check the box ‘Enable Device Admin Service’. Click Save

Screenshot_5.png

Adding Network Devices:

Create device groups. We can group devices based on type or location.

Device Administration > Network Resources > Network Device Groups

Screenshot_74.png

After creating groups, add devices

Device Administration > Network Resources > Network Devices. Click Add

Provide Name & IP address of Network device to be added. Select device group. Configure Radius/TACACS+.

Screenshot_51.png

Screenshot_52.png

Network Access Internal Users:

Create internal users. In our case, only network admin users are internal.

Administration > Identity Management > Identities > Users.

Same thing can be done under Work Centers > Network Access or Work Centers > Guest Access. As shown below

Screenshot_54.png

Create Command sets:

Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Command Sets. Click Add 

Screenshot_76.png

For example, we have created ‘CMD-SET ALL ALLOWED’, which allows all commands. Check the box under Commands ‘Permit any command that is not listed below’ and don’t add any command

cisco-ise-tacacs-command-set-permit-all.png

Another command set is created that allows only show commands. * is used for wild card.

cisco-ise-tacacs-command-set-show-only.png

Create TACACS profiles:

Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles

Screenshot_77.png

TACACS profiles are shell profiles. I always prefer to configure Maximum Privilege as 15 because we have already configured command sets for access restrictions

ubiquiti-ise-tacacs-custom-shell-profile-edit.png

Now, we will create device administration policies.

Device Administration Policy:

Here we will call all the items configured earlier. Navigate to:

Work Centers > Device Administration > Device Admin Policy Sets and add new policy or use default. Click small arrow button on right side of policy to expand.

Screenshot_79

Create Authentication Policy and use internal users (we can use external as well)

Screenshot_80.png

Then, configure authorization Policies under ‘Authorization Policy’.

Device Admin.png

Device Admin2.png

 

Advertisements