Add device to ISE

R3, R10 and R11 users must be authenticated via TACACS
Add devices to Cisco ISE

Define ISE command set.
- Allow all commands – for senior engineers
- Allow a limited subset of commands – for junior engineers


Define TACACS shell profile

Define ISE tacacs policy set – associate command sets and shell profiles to the respective rule

Verify users in Active Directory



Add TACACS server group and create the respective aaa auth list
R10-EDGE-ROUTER#show run | s aaa
enable aaa
aaa new-model
define tacacs server
tacacs server TACACS_SERVER_ISE
address ipv4 10.0.0.35
key 11216demo
timeout 5
define server group and tie it to the tacacs server
aaa group server tacacs+ NPLLC_TACACS_SG
server name TACACS_SERVER_ISE
create service list – example is login list
aaa authentication login NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authentication enable default group NPLLC_TACACS_SG enable
aaa authorization config-commands
aaa authorization exec NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authorization commands 0 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authorization commands 1 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authorization commands 15 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa session-id common
R10-EDGE-ROUTER#
Assign the list to line vty 0 – 4
R10-EDGE-ROUTER#show run | s line vty 0 4
line vty 0 4
password cisco
authorization commands 0 NPLLC_AAA_LOGIN_LIST
authorization commands 1 NPLLC_AAA_LOGIN_LIST
authorization commands 15 NPLLC_AAA_LOGIN_LIST
authorization exec NPLLC_AAA_LOGIN_LIST
login authentication NPLLC_AAA_LOGIN_LIST
transport input telnet ssh
Test aaa user login from cli of device

Test senior and jr engineer login:
Senior engineers should have full access to the devices – 0 restrictions. Verify user login – show users

Output below verifies that fclarke has full access to the IOS

Check Cisco ISE log to verify the session authentication/authorization


Verify jr admin session – limited access to the device




Verify AAA debug


reference doc(s) used in lab – Cisco AAA Identity Management Security – http://www.ciscopress.com/store/aaa-identity-management-security-9781587141447