Add device to ISE
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/00-topology-4-1024x564.png)
R3, R10 and R11 users must be authenticated via TACACS
Add devices to Cisco ISE
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/01-add-devices-to-ise-1024x534.png)
Define ISE command set.
- Allow all commands – for senior engineers
- Allow a limited subset of commands – for junior engineers
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/02-ALL-all-commands-1024x508.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/03-jr-admins-commands-1024x494.png)
Define TACACS shell profile
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/04-admin-shell-profile-1024x441.png)
Define ISE tacacs policy set – associate command sets and shell profiles to the respective rule
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/00-ise-policy-sets-1024x497.png)
Verify users in Active Directory
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/05-ad-verify-1024x647.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/12-jr-admin.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/13-fclarke-1024x234.png)
Add TACACS server group and create the respective aaa auth list
R10-EDGE-ROUTER#show run | s aaa
enable aaa
aaa new-model
define tacacs server
tacacs server TACACS_SERVER_ISE
address ipv4 10.0.0.35
key 11216demo
timeout 5
define server group and tie it to the tacacs server
aaa group server tacacs+ NPLLC_TACACS_SG
server name TACACS_SERVER_ISE
create service list – example is login list
aaa authentication login NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authentication enable default group NPLLC_TACACS_SG enable
aaa authorization config-commands
aaa authorization exec NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authorization commands 0 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authorization commands 1 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa authorization commands 15 NPLLC_AAA_LOGIN_LIST group NPLLC_TACACS_SG local
aaa session-id common
R10-EDGE-ROUTER#
Assign the list to line vty 0 – 4
R10-EDGE-ROUTER#show run | s line vty 0 4
line vty 0 4
password cisco
authorization commands 0 NPLLC_AAA_LOGIN_LIST
authorization commands 1 NPLLC_AAA_LOGIN_LIST
authorization commands 15 NPLLC_AAA_LOGIN_LIST
authorization exec NPLLC_AAA_LOGIN_LIST
login authentication NPLLC_AAA_LOGIN_LIST
transport input telnet ssh
Test aaa user login from cli of device
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/14-test-aaa-server-1024x267.png)
Test senior and jr engineer login:
Senior engineers should have full access to the devices – 0 restrictions. Verify user login – show users
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/image.png)
Output below verifies that fclarke has full access to the IOS
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/image-1-1024x510.png)
Check Cisco ISE log to verify the session authentication/authorization
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/06-ise-sr-adming-logs-1024x336.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/07-verify-end-1024x499.png)
Verify jr admin session – limited access to the device
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/08-jr-admin-login-log-1024x519.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/11-jr-admin-verify-done2-1024x288.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/09-jr-admin-ise-log-1024x353.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/11-jr-admin-verify-done-1024x501.png)
Verify AAA debug
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/15-debug-aaa-1-1024x412.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2019/09/16-debut-aaa-2-1024x430.png)
reference doc(s) used in lab – Cisco AAA Identity Management Security – http://www.ciscopress.com/store/aaa-identity-management-security-9781587141447