In today’s fast-paced world, where organizations are constantly faced with security threats and changing technologies, the role of Cisco Identity Services Engine (ISE) is more important than ever. ISE plays a crucial role in enabling organizations to secure their networks and data by providing a comprehensive solution for identity and access management.

In this blog, we will discuss the configuration of device administration using the Identity Service Engine [ISE]. As you know, a network device can be configured by CLI or GUI. The network device is used to perform hundreds of operations in order to fulfill the business requirements of a customer. We can control the access to a network device in terms of who can access the device and what it can do.



What is ISE?


Identity Service Engine is a software-based platform offered by Cisco. It is mainly used to control network access and policy enforcement systems. It functions as a centralized policy engine that enables endpoint access control and network device administration for enterprise networks. Cisco is making continuous improvements to ISE, and the latest version of ISE is 2.6.

Device Administration

The network device can be accessed through the CLI and GUI in order to make the required configurations on it. A network is managed by a number of network administrators, each with different responsibilities and roles. Device administration is the process of controlling the access to a network device.

The device’s administration involves three actions:

  • Authentication -> It is a process of verifying the identity of a user.

  • Authorization ->It is a process of defining the level of control the user has.

  • Accounting -> A process to keep records of user activities.


In short, it is known as AAA. 


There are two types of AAA: Local and Remote. Let’s look into them in this blog.

  1. Local AAA

The network device can be configured to perform the AAA functions locally. Authentication can be performed using a common password or with different usernames. Authorization can be performed using the privilege level or parser view.

Accounting cannot be done locally on the device.

In a separate blog, I will go over how to configure Local AAA.


  1. Remote AAA

Network devices can be configured to go to a centralized box offering AAA functions. The Access Control System [ACS] is a software-based solution developed by Cisco for providing AAA functions. Nowadays, we are using a very advanced AAA server developed by Cisco known as the Identity Service Engine [ISE].

The main difference between ACS and ISE is shown in the table below:


Let’s see the configuration.

I will be using the following diagram.








aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login CONSOLE none

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization commands 10 LVL_10 tacacs group+


tacacs server TACACS

IPv4 address

key cisco


NOTE: key is used to perform authentication between the network device and the AAA server.


vty 0 4 line

10 LVL_10 authorisation commands

Login authentication default

default authorisation exec

 transport input ssh



Step 1:- Enable Device administration on ISE

Administration > System > Deployment > Deployment Nodes




Step 2:- Create identities on the ISE [Internal/External]

In this deployment, I have created a user on ISE internally.

Administration > System > Identity Management > Identity > Users



You can assign this user to a group if you want. Please don’t forget to submit the configuration.

Step 3:- Creating Network Devices and Network Device Groups

Administration > System > Network Resources > Network Devices > Add



ISE 2.3 supports 10,000 network device groups with a maximum of 32 characters. I am adding the router to the ISE server. Assign a Name, IP address and TACACS authentication settings. Please ensure that the shared secret on the network device and the ISE server is the same, or authentication will fail.

Step 4:- Create a TACACS profile.

TACACS profile allows you to define the minimum and maximum privilege level with additional attributes like ACL, auto-command, timeout, idle timeout, etc.

Work Centers > Device Administration > Policy Elements > TACACS profiles



Tacacs profile Common Task Type:


  1. Shell –> IOS-XE devices

  2. WLC –> Wireless Controller

  3. Nexus –> Nexus Devices

  4. Generic –> Non-Cisco devices



Please don’t forget to submit the configuration.

Step 5 :- Define a command set for the Tacacs profile.

Work Centers > Device Administration > Policy Elements > TACACS Command Sets


If you check this option, all commands will be allowed.



Step 6 :- Define a policy set for the device administration.

Work Centers > Device Administration > Policy Elements > Device Admin Policy Sets



Click on “Authentication Policy” and choose “Internal Users.”


Click on “Authorization Policy”:




Dictionary > Internal User > name




 Assign a command set and a policy set, and save




Step 1: Go to the router and enable AAA debugging.

 debug aaa authentication

 debug aaa authorization

Step 2: Go to the desktop and request an SSH session.





You can also check the logs on the ISE.

Operations > TACACS > Live Logs






The role of Cisco Identity Services Engine (ISE) in the fast-paced world is critical in enabling organizations to secure their networks, manage a rapidly growing number of devices, adapt quickly to changing technologies and security threats, and manage their networks more efficiently. With its comprehensive solution for identity and access management, ISE helps organizations stay ahead of the curve in a constantly changing and challenging environment.

Cisco ISE Course is a great way to advance your networking knowledge and career. If you’re interested in learning Cisco ISE, Ns3Edu is the right place for you. We provide a comprehensive overview of Cisco ISE, as well as the skills and knowledge necessary to pass Cisco ISE Certification exam.

NS3Edu has a world-class team of certified trainers and advanced lab. Our training includes onsite and online instruction, study guides, practice tests and real-time practice on OEM devices that enhance students’ analytical abilities.

Make the most of your potential with the Cisco ISE Course! 

Are you ready to get started?

Visit our website 🌐 :

We offer a wide range of programs so feel free to contact us at +91 88 000 111 38 or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *