ISE Device Administration
AAA Authentication Function
When any device sends an authentication request to AAA, TACACS+ Protocols works behind and ensure the Authentication, Authorization and Accounting functions for that device. Below figure define how TACACS+ perform authenticate once and authorize many function like access to Router CLI, Command sequence used on that device, etc.
Device Administration in ISE
TO enable TACACS+ on ISE, we need a single license called Device Admin, It is a single license that is applied to entire ISE cube and is valid for maximum number of Network Device.
Below figure show device Admin license is enabled.
In order to learn the deployment model of TACACS+, below list shows which model is best for your organization.
Now here we will see how these deployment are done and what are the ISE architecture related to those environment.
In Large Deployment, It is best to use different ISE cubes for Network Access and Device Administration.
Below figure shows two different ISE cubes, Cube 1 is used for TACACS+ and Cube 2 is used for RADIUS. PAN and MnT are also used as dedicated.
In Medium deployment, you should use only one ISE cube with two dedicated PSNs for network access and Device administration. Here one set of PSN will be responsible for RADIUS traffic and other will be used for TACACS+. In case of disaster you can choose to send the RADIUS traffic to PSN handling TACACS+ or vice versa.
In this type of deployment, single small cube is used, or you can also use one single standard ISE that will perform all functions. In this all PSN will handle all type of traffic (TACACS+ and RADIUS).
How to Enable TACACS+ in ISE
In order to enable TACACS+ in ISE, you must have device Administration License. Now below are the steps used to enable TACACS+ in ISE.