Skip to content
  • There are no suggestions because the search field is empty.

Configure ISE as an External Authentication for Catalyst SD-WAN GUI

Use Cisco ISE as a TACACS+ server to enable role‑based GUI authentication and authorization for Catalyst SD‑WAN (vManage).

 

Overview

Purpose: Enable role‑based GUI access to Catalyst SD‑WAN (vManage) by using ISE as an external TACACS+ authentication and authorization source.
Scope: Configuration tasks on vManage and on ISE Device Administration (TACACS+) to map ISE user groups to SD‑WAN GUI roles.

Key considerations

  • Protocol: TACACS+ is required for role‑based GUI access.
  • Role mapping: Decide whether to use vManage default roles or create custom roles (for example, super-admin and readonly).
  • ISE services: Ensure the Device Admin Service is enabled on the ISE Policy Service Node (PSN).
  • Shared secret: Plan and securely store the TACACS+ shared secret used between vManage and ISE.
  • Testing: Validate changes in a lab or maintenance window to avoid accidental lockouts.

Prerequisites

  • Administrative access to vManage and to ISE with privileges to modify Device Administration and Policy elements.
  • Familiarity with TACACS+, ISE Device Administration, and Catalyst SD‑WAN administration.
  • Backup of current configurations and a scheduled maintenance window for production changes.

vManage Configuration

Create or confirm roles

  • Optional: Create custom roles in vManage under Administration > Users and Access > Roles (e.g., super-admin, readonly).
  • Note: Ensure role names match the intended authorization mapping from ISE.

Configure TACACS+ server settings

  • Define TACACS+ server: Add ISE as an external authentication server on vManage (IP address, port, and shared secret).
  • Apply server to GUI authentication: Configure vManage to use the external TACACS+ server for GUI administration authentication.

ISE Configuration

Enable Device Admin Service

  • On the ISE PSN node, enable the Device Admin Service so TACACS+ authentication and authorization are available.

Add SD‑WAN device as a Network Device

  • Create a Network Device entry: Add the vManage (or SD‑WAN device) with its IP address and enable TACACS+ settings.
  • Set shared secret: Configure the same TACACS+ shared secret used on vManage.

Create TACACS+ Profiles

  • TACACS Profiles: Create profiles that represent the SD‑WAN GUI roles (for example, Catalyst_SDWAN_Admin, Catalyst_SDWAN_ReadOnly). These profiles define the shell/privilege level and command sets returned to vManage.

Create User Identity Groups and Users

  • User groups: Create user identity groups (for example, Super_Admin_Group, ReadOnly_Group).
  • Add users: Add or link users to the appropriate groups or external identity sources (LDAP/AD) as required.

Configure Authentication and Authorization Policies

  • Authentication policy: Create rules that authenticate SD‑WAN GUI users using the appropriate identity source.
  • Authorization policy: Map user groups to TACACS+ profiles so that authenticated users receive the correct role and privileges on vManage.

Optional: Device Admin Policy Set

  • Create a Device Admin Policy Set targeted to the SD‑WAN device type or network device entry to scope authentication and authorization rules.

Verification

  • vManage user sessions: Confirm external users and assigned roles appear in vManage under Administration > Users and Access > User Sessions.
  • ISE TACACS Live Logs: Use ISE live logs to validate TACACS+ authentication and authorization transactions and to troubleshoot failures.
  • Test accounts: Log in with test accounts from each mapped group to verify role enforcement and GUI access levels.

Troubleshooting

  • Shared secret mismatch: Verify the TACACS+ shared secret is identical on both vManage and ISE.
  • Device entry settings: Confirm the vManage IP is correctly entered as a Network Device in ISE and TACACS+ is enabled for that entry.
  • Policy ordering: Ensure authentication and authorization rules in ISE are ordered correctly so the intended rule matches first.
  • Live logs: Use ISE TACACS Live Logs to inspect authentication and authorization requests and responses.
  • Role mapping errors: If users authenticate but receive incorrect privileges, review TACACS+ profile mappings and shell/command sets assigned in ISE.

Best practices

  • Test all changes in a lab environment before applying to production.
  • Use descriptive names for TACACS+ profiles and user groups to simplify troubleshooting.
  • Maintain a secure record of shared secrets and rotate them according to your security policy.
  • Implement a fallback local admin account on vManage in case external authentication becomes unavailable.

Change log

  • Created: Initial conversion for HubSpot Knowledge Base.
  • Recommended update cadence: Review annually or when upgrading ISE or Catalyst SD‑WAN versions.