📌 Ensure the following services are properly configured before deploying Cisco ISE
- ✅ Forward Lookup Zone configured
- ✅ Reverse Lookup Zone configured
- ✅ ISE must resolve its own FQDN
- 💡 AD-integrated DNS is recommended
- Hostname:
ise.local.lab - IP Address:
10.100.10.2
Test:
nslookup ise.local.lab- ⏱️ Time synchronization is critical
- All systems must match:
- Cisco ISE
- Active Directory
- Network Devices
- ❌ Authentication failures
- ❌ Domain join issues
- ❌ Certificate problems
⚠️ Optional, but strongly recommended for this lab
Required for:
- 🔐 802.1X authentication
- 📡 MAB (MAC Authentication Bypass)
- 🌐 VPN authentication
🔗 ISE must be able to:
- Join the domain
- Query users/groups
Follow this video to install Cisco ISE on Proxmox: 👉 https://www.youtube.com/watch?v=ZtiXCOCgFgs�
⚠️ If these are not met, installation may fail or be unstable
- 🧠 CPU: 4 vCPU
- 🧠 RAM: 16 GB
- 💾 Disk: 300 GB
Log in to Cisco ISE and navigate to:
Administration > System > Deployment
Select the ISE node (typically only one in a lab setup).
Under General Settings, enable Device Admin Service, then click Save.
💡 This service allows administrative access to network devices (switches, routers, etc.) using TACACS+.
Go to:
Administration > Identity Management > Identities → Click Add
Under Network Access User:
- 🧾 Enter username
- 🔑 Set Password Type to
Internal Users - 🔒 Define password
- 👥 Under User Groups, select
ALL_ACCOUNTS (default)
Click Submit
💡 For this lab, an IT group will be created and used instead.
Navigate to:
Administration > Identity Management > External Identity Sources
Select Active Directory → Click Add
Enter:
- 🏷️ Join Point Name (any name)
- 🌐 Active Directory Domain
Click Submit → Confirm Yes
Enter credentials with sufficient privileges on the Domain Controller.
Click OK
Verify the status shows ✅ Operational
Navigate to:
Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles
Click Add
Create the following profiles:
- 📡
WLC_ADMIN_PROFILE - 🛡️
ROUTER_ADMIN_PROFILE - 🔌
SWITCH_ADMIN_PROFILE
For each profile:
- ⚙️ Select Shell Profile
- 🔓 Enable Default Privilege = 15
For WLC profile only, add custom attributes:
- Type:
OPTIONAL - Name:
role1 - Value:
ALL
Click Save
Go to:
Administration > Network Resources > Network Device Groups
Click Add
- 🏷️ Name: (e.g., WLC, ROUTER, SWITCH)
- 📂 Parent Group:
All Device Types
Click Save
Navigate to:
Work Centers > Device Administration > Device Admin Policy Sets
Click +
- 🏷️ Policy Name:
Network_Admin_Access
- Open Condition Studio
- Select OR
- Click NEW three times
- Configure:
DEVICE:Device Type EQUALS All Device Types#<Group>
Click Use
- 🔑 Allowed Protocols:
Default Device Admin
Click Save
Expand the created policy:
- Set Use =
Internal Users
Create 3 rules:
- 📡 WLC →
WLC_ADMIN_PROFILE - 🛡️ Router →
ROUTER_ADMIN_PROFILE - 🔌 Switch →
SWITCH_ADMIN_PROFILE
Click Save
Go to:
Administration > Network Resources > Network Devices
Click Add
Enter:
- 🏷️ Hostname
- 🌐 IP Address
- 📍 Location (optional)
- 🗂️ Device Type
Scroll down:
- ✅ Enable TACACS Authentication Settings
- 🔐 Enter Shared Secret
Click Save
Repeat for all:
- 🛡️ Routers
- 🔌 Switches
- 📡 WLC
⚠️ For WLC: Configure both RADIUS (client auth) and TACACS (admin access)
Go to:
Administration > Identity Management > Identity Source Sequences
Click Add
- 🏷️ Name the sequence
- ➕ Add to Authentication Search List:
- 👤
Internal Users - 🏢
AD-Lab
- 👤
Click Save
Go to:
Policy > Policy Sets
Open Default Policy
- Apply the created sequence to:
- 📱 MAB
- 🔐 Dot1X
Click Save
💡 This allows users to authenticate via both local and Active Directory accounts.
This lab covers:
- 🔐 Enabling TACACS+ on Cisco ISE
- 🏢 Integrating Active Directory
- 📁 Creating admin profiles
- 📜 Defining policy sets
- 🖥️ Adding network devices
- 🔄 Configuring authentication flows