Cisco ISE Device Administration

Configuration Guide

Contents
1. Deploy Cisco ISE on Virtual Machines Using OVA Templates ...................................... 1

2. Initial Setup for the Cisco ISE Virtual Machine .................................................................. 2

3. Cisco ISE Ports Reference ........................................................................................................ 2

4. Configuring High Availability ................................................................................................. 8

5. Join the Active Directory .......................................................................................................... 9

5.1. Prerequisites for Integrating Active Directory and Cisco ISE ................................... 9

5.2. Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point .... 9

5.3. Configure Active Directory User Groups ...................................................................... 10

6. Manage Network Devices ...................................................................................................... 10

6.1. Network Device Profile ....................................................................................................... 10

6.2. Network Access Devices .................................................................................................... 11

6.3. Network Device Groups ..................................................................................................... 11

7. Device Administration - Authorization Policy Results ................................................. 11

7.1. TACACS+ Command Sets ................................................................................................. 11

7.1.1. Wildcards and Regex in Command Sets ................................................................... 12

7.1.2. Command Line and Command Set List Match ........................................................ 12

7.1.3. Process Rules with Multiple Command Sets ............................................................ 13

7.1.4. Create TACACS+ Command Sets ................................................................................ 13

7.2. TACACS+ Profile .................................................................................................................. 13

7.2.1. Create TACACS+ Profiles .............................................................................................. 14

8. Policy Elements TACACS ........................................................... Error! Bookmark not defined.

1. Deploy Cisco ISE on Virtual Machines Using OVA Templates

You can use OVA templates to install and deploy Cisco ISE software on a virtual machine. Download the
OVA template from Cisco.com.

Procedure

1. Open VMware vSphere client.

2. Log in to VMware host.
 3. Choose File > Deploy OVF Template from the VMware vSphere Client.
4. Click Browse to select the OVA template and click Next.
5. Confirm the details in the OVF Template Details page and click Next.
6. Enter a name for the virtual machine in the Name and Location page to uniquely identify it and
click Next.
7. Choose a data store to host the OVA.
8. Click the Thick Provision radio button in the Disk Format page and click Next.
9. Verify the information in the Ready to Complete page. Check the Power on after deployment
check box.
10. Click Finish.

2. Initial Setup for the Cisco ISE Virtual Machine

3. Cisco ISE Ports Reference

Table 1. Ports Used by the Administration Nodes

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other

Ethernet Interfaces
(Gigbit Ethernet 1
through 5, or Bond
1 and 2)

Administration  HTTP: TCP/80, HTTPS: TCP/443 (TCP/80 redirected to —

TCP/443; not configurable)

 SSH Server: TCP/22

 External RESTful Services (ERS) REST API: TCP/9060

 To display Sponsor portal from the Admin GUI: TCP/9002

 ElasticSearch (Context Visibility; to replicate data from primary

to secondary Admin node): TCP/9300
Note
Ports 80 and 443 support Admin web applications
and are enabled by default.

HTTPS and SSH access to Cisco ISE is restricted to

Gigabit Ethernet 0.

TCP/9300 must be open on both Primary and

Secondary Administration Nodes for incoming traffic.

Replication and  HTTPS (SOAP): TCP/443 —

Synchronization  Data synchronization/ Replication (JGroups): TCP/12001
(Global)

Monitoring SNMP Query: UDP/161

Note
This port is route table dependent.
 Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other
Ethernet Interfaces
(Gigbit Ethernet 1
through 5, or Bond
1 and 2)

Logging (Outbound)
 Syslog: UDP/20514, TCP/1468

 Secure Syslog: TCP/6514

Note
Default ports are configurable for external logging.

 SNMP Traps: UDP/162

External Identity  Admin User Interface and Endpoint Authentications:

Sources and  LDAP: TCP/389, 3268, UDP/389
Resources
 SMB: TCP/445
(Outbound)
 KDC: TCP/88

 KPASS: TCP/464

 WMI : TCP/135

 ODBC:
Note
The ODBC ports are configurable on the third-party database server.

 Microsoft SQL: TCP/1433

 Sybase: TCP/2638

 PortgreSQL: TCP/5432

 Oracle: TCP/1512

 NTP: UDP/123

 DNS: UDP/53, TCP/53

Note
For external identity sources and services reachable only through an
interface other than Gigabit Ethernet 0, configure static routes accordingly.

Email Guest account and user password expirations email notification: SMTP: TCP/25

Smart Licensing Connection to Cisco cloud over TCP/443

Table 2. Ports Used by the Monitoring Nodes

 Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces
(Gigabit Ethernet 1 through 5, or
Bond 1 and Bond 2)

Administration  HTTP: TCP/80, HTTPS: TCP/443 —

 SSH Server: TCP/22

Replication and  HTTPS (SOAP): TCP/443 Oracle DB Listener: TCP/1521

Synchronization  Oracle DB Listener: TCP/1521

 Data Synchronization/Replication (JGroups):

TCP/12001 (Global)

Monitoring Simple Network Management Protocol [SNMP]: UDP/161

Note
This port is route table dependent.

Logging  Syslog: UDP/20514, TCP/1468

 Secure Syslog: TCP/6514

Note
Default ports are configurable for external logging.

 SMTP: TCP/25 for email of alarms

 SNMP Traps: UDP/162

External Identity  Admin User Interface and Endpoint Authentications:

Sources and  LDAP: TCP/389, 3268, UDP/389
Resources
 SMB: TCP/445
(Outbound)
 KDC: TCP/88, UDP/88

 KPASS: TCP/464

 WMI: TCP/135

 ODBC:
Note
The ODBC ports are configurable on the third-party database server.

 Microsoft SQL: TCP/1433

 Sybase: TCP/2638

 PortgreSQL: TCP/5432

 Oracle: TCP/1512

 NTP: UDP/123

 DNS: UDP/53, TCP/53

Note
For external identity sources and services reachable only through an
interface other than Gigabit Ethernet 0, configure static routes
accordingly.
 Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces
(Gigabit Ethernet 1 through 5, or
Bond 1 and Bond 2)

Bulk Download for SSL: TCP/8910

pxGrid

Table 3. Ports Used by the Policy Service Nodes

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

Administration  HTTP: TCP/80, HTTPS: TCP/443 Cisco ISE management is restricted

 SSH Server: TCP/22 to Gigabit Ethernet 0.

 OCSP: TCP/2560

Replication and  HTTPS (SOAP): TCP/443 —

Synchronization  Data Synchronization / Replication
(JGroups): TCP/12001 (Global)

Clustering (Node Node Groups/JGroups: TCP/7800 —

Group)

CA PKI TCP/9090 —

IPSec/ISAKMP UDP/500 —

Device Administration TACACS+: TCP/49

Note This port is configurable in Release 2.1 and later releases.

SXP  PSN (SXP node) to NADs: TCP/64999

 PSN to SXP (inter-node communication): TCP/443

TC-NAC TCP/443

Monitoring Simple Network Management Protocol [SNMP]: UDP/161

Note
This port is route table dependent.

Logging (Outbound)  Syslog: UDP/20514, TCP/1468

 Secure Syslog: TCP/6514

Note
Default ports are configurable for external logging.

 SNMP Traps: UDP/162

Session  RADIUS Authentication: UDP/1645, 1812

 RADIUS Accounting: UDP/1646, 1813

 Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

 RADIUS DTLS Authentication/Accounting: UDP/2083.

 RADIUS Change of Authorization (CoA) Send: UDP/1700

 RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799

Note
UDP port 3799 is not configurable.

External Identity  Admin User Interface and Endpoint Authentications:

Sources and Resources
 LDAP: TCP/389, 3268
(Outbound)
 SMB: TCP/445

 KDC: TCP/88

 KPASS: TCP/464

 WMI : TCP/135

 ODBC:
Note
The ODBC ports are configurable on the third-party database server.

 Microsoft SQL: TCP/1433

 Sybase: TCP/2638

 PortgreSQL: TCP/5432

 Oracle: TCP/1512

 NTP: UDP/123

 DNS: UDP/53, TCP/53

Note
For external identity sources and services reachable only through an
interface other than Gigabit Ethernet 0, configure static routes
accordingly.

Passive ID (Inbound)  TS Agent: tcp/9094

 AD Agent: tcp/9095

 Syslog: UDP/40514, TCP/11468

Web Portal Services: HTTPS (Interface must be enabled for service in Cisco ISE):

- Guest/Web  Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.)

Authentication  Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is
- Guest Sponsor Portal TCP/8443.)

- My Devices Portal  Certificate Provisioning Portal: TCP/8000-8999 (Default port is TCP/8443.)

- Client Provisioning  My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.)

- Certificate  Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.)

Provisioning  SMTP guest notifications from guest and sponsor portals: TCP/25
- BlackListing Portal
 Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

Posture  Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)

- Discovery Note
By default, TCP/80 is redirected to TCP/8443. See Web Portal Services:
- Provisioning Guest Portal and Client Provisioning.

- Assessment/ Cisco ISE presents the Admin certificate for Posture and Client
Heartbeat Provisioning on TCP port 8905.

Cisco ISE presents the Portal certificate on TCP port 8443 (or the port
that you have configured for portal use).

 Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)

From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4 or later, this
port is configurable.

 Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client
Provisioning

 Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent
Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and
Client Provisioning.

 Provisioning - NAC Agent Install: TCP/8443

 Provisioning - NAC Agent Update Notification: UDP/8905

 Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905

(HTTPS)

 Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS)

 Assessment - PRA/Keep-alive: UDP/8905

Bring Your Own Device Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client
(BYOD) / Network Provisioning.
Service Protocol (NSP)  For Android devices with EST authentication: TCP/8084. Port 8084 must be
- Redirection added to the Redirect ACL for Android devices.

- Provisioning  Provisioning - Active-X and Java Applet Install (includes the launch of Wizard

- SCEP Install): See Web Portal Services: Guest Portal and Client Provisioning

 Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443

 Provisioning - Wizard Install from Google Play (Android): TCP/443

 Provisioning - Supplicant Provisioning Process: TCP/8905

 SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration)

Mobile Device  URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning
Management (MDM) API
 API: Vendor specific
Integration
 Agent Install and Device Registration: Vendor specific
 Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

Profiling  NetFlow: UDP/9996

Note
This port is configurable.

 DHCP: UDP/67
Note
This port is configurable.

 DHCP SPAN Probe: UDP/68

 HTTP: TCP/80, 8080

 DNS: UDP/53 (lookup)

Note This port is route table dependent.

 SNMP Query: UDP/161

Note
This port is route table dependent.

 SNMP TRAP: UDP/162

Note
This port is configurable.

4. Configuring High Availability

In a high availability configuration, the primary Administration ISE node is in the active state to
which all configuration changes are made. The secondary Administration ISE node is in the
standby state and will receive all configuration updates from the primary Administration ISE
node. Therefore, it will always have a complete copy of the configuration from the primary
Administration ISE node.

When the primary Administration ISE node becomes unavailable, you must log into the secondary
Administration ISE node and promote it to become the primary Administration ISE node. There is
no automatic failover for the Administration ISE node.

Configuring High availability

 Choose Administration > System > Deployment.

 Select the node and click Edit.
 In the Edit Node page, click the Promote to Primary button.
 Click Save
 In the deployment nodes, click Register
 Fill in standby node
o Host FQDN
 (must able to resolve the name of standby node in DNS server)
o Username
o Password
  Click Next


5. Join the Active Directory

Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active
Directory joins. Cisco ISE can connect with multiple Active Directory domains that do not have a
two-way trust or have zero trust between them. Active Directory multi-domain join comprises a
set of distinct Active Directory domains with their own groups, attributes, and authorization
policies for each join.

5.1. Prerequisites for Integrating Active Directory and Cisco ISE

The following are the prerequisites to integrate Active Directory with Cisco ISE.

 Use the Network Time Protocol (NTP) server settings to synchronize the time between the
Cisco ISE server and Active Directory. You can configure NTP settings from Cisco ISE CLI.
 If your Active Directory structure has multidomain forest or is divided into multiple forests,
ensure that trust relationships exist between the domain to which Cisco ISE is connected
and the other domains that have user and machine information to which you need access.
For more information on establishing trust relationships, refer to Microsoft Active
Directory documentation.
 You must have at least one global catalog server operational and accessible by Cisco ISE,
in the domain to which you are joining Cisco ISE.

Network Ports That Must Be Open for Communication

Protocol Port (remote-local) Target Authenticated N

DNS (TCP/UDP) Random number greater than DNS Servers/AD Domain No —

or equal to 49152 Controllers

MSRPC 445 Domain Controllers Yes —

Kerberos 88 Domain Controllers Yes (Kerberos) MS

(TCP/UDP) AD
LDAP (TCP/UDP) 389 Domain Controllers Yes —
LDAP (GC) 3268 Global Catalog Servers Yes —

NTP 123 NTP Servers/Domain No —

Controllers
IPC 80 Other ISE Nodes in the Yes (Using RBAC —
Deployment credentials)

5.2. Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point
Procedure

 Choose Administration > Identity Management > External Identity Sources > Active
Directory.
  Click Add and enter the domain name and identity store name.
 Click Submit.
A pop-up appears asking if you want to join the newly created join point to the domain.
Click Yes if you want to join immediately.
Saving the configuration saves the Active Directory domain configuration globally (in the
primary and secondary policy service nodes), but none of the Cisco ISE nodes are joined to
the domain yet.
 Check the check-box next to the relevant Cisco ISE nodes and click Join to join the Cisco
ISE node to the Active Directory domain.
 Enter the Active Directory administrator username and password.
 Click OK.

5.3. Configure Active Directory User Groups

You must configure Active Directory user groups for them to be available for use in authorization
policies. Internally, Cisco ISE uses security identifiers (SIDs) to help resolve group name ambiguity
issues and to enhance group mappings. SID provides accurate group assignment matching.

Procedure

 Choose Administration > Identity Management > External Identity Sources > Active
Directory > Select the Joint Point
 Click the Groups tab.
 Do one of the following:
o Choose Add > Select Groups from Directory to choose an existing group.
o Do not use double quotes (”) in the group name for the user interface login.
 If you are manually selecting a group, you can search for them using a filter. For example,
enter admin* as the filter criteria and click Retrieve Groups to view user groups that begin
with admin. You can also enter the asterisk (*) wildcard character to filter the results. You
can retrieve only 500 groups at a time.
 Check the check boxes next to the groups that you want to be available for use in
authorization policies and click OK.
 Click Save.

6. Manage Network Devices

Cisco ISE supports the default device definition for RADIUS and TACACS authentications.

6.1. Network Device Profile

Cisco ISE supports third-party network access devices (NADs) through the use of network device profiles.
These profiles define the capabilities that Cisco ISE uses to enable flows such as Guest, BYOD, MAB, and
Posture.

Procedure

1. Choose Administration > Network Resources > Network Device Profiles

 2. Click Add.
3. Enter a name and description for the network device.
4. Select the vendor of the network device.
5. Check the check boxes for the protocols that the device supports.
6. Click Submit.

6.2. Network Access Devices

Cisco ISE is a policy server. In inducstry standard terms, ISE would be considedered a policy administration
point (the admin node) and policy descision point (the policy node – PSN). The policy enforcement point is
the network access device (NAD). The NAD is the device that applies the actual access control to the
endpoint.

Adding a Network Access Devices

 Administration > Network Resources > Network Devcies > Add

6.3. Network Device Groups

Cisco ISE allows you to create hierarchical Network Device Groups (NDGs). NDGs can be used to logically
group network devices based on various criteria, such as geographic location, device type, or the relative
place in the network (Access Layer, Data Centre, and so on). For example, to organize your network devices
based on geographic location, you can group them by continent, region, or country:

 Africa -> Southern -> Namibia

 Africa -> Southern -> South Africa
 Africa -> Southern -> Botswana

You can also group the network devices based on the device type:

 Africa -> Southern -> Botswana -> Firewalls

 Africa -> Southern -> Botswana -> Routers
 Africa -> Southern -> Botswana -> Switches

There is no limit on the maximum number of NDGs that can be created. You can create up to 6 levels of
hierarchy (including the parent group) for the NDGs.

Create a Network Device Group

 Administration > Network Resources > Network Device Groups > Add

7. Device Administration - Authorization Policy Results

ISE administrators can use the TACACS+ command sets and TACACS+ profiles (policy results) to exercise
control over the privileges and commands that are granted to a device administrator. The policy works in
conjunction with the network devices and thereby prevents accidental or malicious configuration changes
that may be done. In the event such changes occur, you can use the device administration audit reports to
track the device administrator who has executed a particular command.

7.1. TACACS+ Command Sets

Command sets enforce the specified list of commands that can be executed by a device administrator.
When a device administrator issues operational commands on a network device, ISE is queried to determine
whether the administrator is authorized to issue these commands. This is also referred to as command
authorization.
 7.1.1. Wildcards and Regex in Command Sets
A command line comprises the command and zero or more arguments. When Cisco ISE receives a
command line (request), it handles the command and its arguments in different ways:

 It matches the command in the request with the commands specified in the command set
list using the wildcard matching paradigm.
Example: Sh?? or S*
 It matches the arguments in the request with the arguments specified in the command set
list using regular expressions (regex) matching paradigm.
Example: Show interface[1-4] port[1-9]:tty*

7.1.2. Command Line and Command Set List Match

To match a requested command line to a command set list containing wildcards and regex:

1. Iterate over a command set list to detect matching commands.

Wildcard matching permits:

o Case insensitivity
o Any character in the command in the command set may be "?", which matches any individual
character that must exist in the requested command
o Any character in the command in the command set may be "*", which matches zero or more
characters in the requested command

Examples:

Request Command Set Matches Comments

show show Y —
show SHOW Y Case insensitive

show Sh?? Y Matches any character

show Sho?? N Second "?" intersects with the character that does not exist

show S* Y "*" matches any character

show S*w Y "*" matches characters "ho"

show S*p N Character "p" does not correspond

2. For each matching command, Cisco ISE validates the arguments.

The command set list will include a space-delimited set of arguments for each command.

Example: Show interface[1-4] port[1-9]:tty.*

This command has two arguments.

1. Argument 1: interface[1-4]

2. Argument 2: port[1-9]:tty.*
 The command arguments in the request are taken in the position-significant order they appear in
the packet. If all the arguments in the command definition match the arguments in the request,
then this command/argument is said to be matched. Note that any extraneous arguments in the
request are ignored.

7.1.3. Process Rules with Multiple Command Sets

 If a command set contains a match for the command and its arguments, and the match has Deny
Always, ISE designates the command set as Commandset-DenyAlways.
 If there is no Deny Always for a command match in a command set, ISE checks all the commands in
the command set sequentially for the first match.
o If the first match has Permit, ISE designates the command set as Commandset-Permit.
o If the first match has Deny, ISE designates the command set as Commandset-Deny.
 After ISE has analyzed all the command sets, it authorizes the command:
o If ISE designated any command set as Commandset-DenyAlways, ISE denies the command.
o If there is no Commandset-DenyAlways, ISE permits the command if any command set is
Commandset-Permit; otherwise, ISE denies the command. The only exception is when the
Unmatched check box is checked.

7.1.4. Create TACACS+ Command Sets

 Choose Work Centers > Device Administration > Policy Results > TACACS Command Sets.
 Click Add.
 Enter a name and description.
 Click Add to specify the Grant permission, Command, and Argument.
 In the Grant drop-down, you can choose one of the following:
Permit: To allow the specified command, (for example, permit show, permit con* Argument
terminal).
Deny: To deny the specified command, (for example, deny mtrace).
Deny Always: To override a command that has been permitted in any other command set, (for
example, clear auditlogs)
Note Click the action icon to increase or decrease the column width of the Grant, Command, and
Argument fields.
 Check the Permit any command that is not listed below check box to allow commands and
arguments that are not specified as Permit, Deny or Deny Always in the Grant column.

7.2. TACACS+ Profile

TACACS+ profiles control the initial login session of the device administrator. A session refers to each
individual authentication, authorization, or accounting request. A session authorization request to a
network device elicits an ISE response. The response includes a token that is interpreted by the network
device, which limits the commands that may be executed for the duration of a session. The authorization
policy for a device administration access service can contain a single shell profile and multiple command
sets. The TACACS+ profile definitions are split into two components:

Common tasks

Custom attributes
There are two views in the TACACS+ Profiles page (Work Centers > Device Administration > Policy
Elements > Results > TACACS Profiles)—Task Attribute View and Raw View. Common tasks can be entered
using the Task Attribute View and custom attributes can be created in the Task Attribute View as well as
the Raw View.

The Common Tasks section allows you to select and configure the frequently used attributes for a profile.
The attributes that are included here are those defined by the TACACS+ protocol draft specifications.
However, the values can be used in the authorization of requests from other services. In the Task Attribute
View, the ISE administrator can set the privileges that will be assigned to the device administrator. The
common task types are:

 Shell
 WLC
 Nexus
 Generic

The Custom Attributes section allows you to configure additional attributes. It provides a list of attributes
that are not recognized by the Common Tasks section. Each definition consists of the attribute name, an
indication of whether the attribute is mandatory or optional, and the value for the attribute. In the Raw
View, you can enter the mandatory attributes using a equal to (=) sign between the attribute name and its
value and optional attributes are entered using an asterisk (*) between the attribute name and its value.
The attributes entered in the Raw View are reflected in the Custom Attributes section in the Task Attribute
View and vice versa. The Raw View is also used to copy paste the attribute list (for example, another
product's attribute list) from the clipboard onto ISE. Custom attributes can be defined for nonshell services.

For more detail: Common Tasks Settings

7.2.1. Create TACACS+ Profiles

Step 1 Choose Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles.

Step 2 Click Add.

Step 3 In the TACACS Profile section, enter a name and description.

Step 4 In the Task Attribute View tab, check the required Common Tasks. Refer to the Common Tasks
Settings page.
Step 5 In the Task Attribute View tab, in the Custom Attributes section, click Add to enter the required
attributes.

8. Device Administration Policy Sets

Authorization is an important requirement to ensure which users can access the Cisco ISE network and its
resources. Network authorization controls user access to the network and its resources and what each user
can do on the system with those resources. The Cisco ISE network defines sets of permissions that
authorize read, write, and execute privileges. Cisco ISE lets you create several different authorization
policies to suit your network needs

Before you begin

 Ensure that the Enable Device Admin Service checkbox in the Administration > System >
Deployment > Edit Node > General Settings page is enabled for Enable Device Admin Service.
  Ensure that the User Identity Group for Internal or External, (for example, System_Admin, Helpdesk)
is created.
o Work Centers > Device Administration > User Identity Groups > page
o Work Centers > Device Administration > Ext ID Resources > page
 Ensure to configure TACACS settings on devices that need to be administered. (Work Centers >
Device Administration > Network Resources > Network Devices > Add > TACACS Authentication
Settings check box is enabled and the shared secret for TACACS and devices are identical to
facilitate the devices to query ISE.)
 Ensure that the Network Device Group, based on the Device Type and Location, is created. (Work
Centers > Device Administration > Network Device Groups page)

8.1. Create Device Administration Policy Sets

Step 1 Choose Work Centers > Device Administration > Device Admin Policy Sets.
Step 2 In the left pane, select a current policy set above (below) which the new policy set is to be added.
Step 3 In the left pane, click Create Above to create a new policy set.
Step 4 Click Edit and enter the Name, Description, and Condition, (for example, Name:
Device_Admin_Policy_1, Description: ISE administrator, Conditions: DEVICE: Device Type EQUALS
Device Type#All Device Types #Cisco_switches) to configure the rules based on the condition.
Step 5 Click Done.
Step 6 Create the required Authentication policy, (for example, Name: ATN_Internal_Users, Rule: if
DEVICE:Location EQUALS Location #All Locations#Europe, Condition: Allow Protocols:
Device_Admin_protocols and Default: Use Internal Users—The policy matches only devices that are
in location Europe, allows protocols that are defined under device admin protocols, and
authenticates against the internal users).
Step 7 Create the required Authorization Policy.

Example 1: Rule Name: Sys_Admin_rule, Conditions: if SysAdmin and TACACS User Equals ABC then
cmd_Sys_Admin AND Profile_priv_8—The policy matches system administrators with user name
ABC and allows the specified commands to be executed and assigns a privilege level of 8.

Example 2: Rule Name: HelpDesk AND TACACS User EQUALS XYZ then cmd_HDesk_show AND
cmd_HDesk_ping AND Profile_priv_1—The policy matches system administrators with user name
XYZ and allows the specified commands to be executed and assigns a privilege level of 1.

In the above examples:

 The command sets, cmd_Sys_Admin and cmd_HDesk, are created in the Work Centers >
Device Administration > Policy Elements > Results >TACACS Command Sets > Add page.
 The TACACS profiles, Profile_Priv_1 and Profile_priv_8, are created in the Work Centers >
Device Administration > Policy Elements > Results > TACACS Profiles > Add page.

It is recommended that the policy results are created prior to the creation of the policy set
Note
such that it will be readily available when creating the authorization results.

Step 8 Click Submit to create the new policy set.

9. Device Administration Policy Sets