Day 92 – Cisco ISE Mastery Training: Customizing TACACS+ Shell Profiles

[Day 92] Cisco ISE Mastery Training: Customizing TACACS+ Shell Profiles


Introduction

In Cisco ISE Device Administration (TACACS+), the Shell Profile is the authority that decides what execution context the admin receives at login—their privilege level, role(s), and any vendor-specific attributes the device needs to correctly shape the session. If Command Sets are your surgical “allow/deny” blades, Shell Profiles are the gravity wells that pull a user into the correct universe (IOS-XE priv-lvl, NX-OS shell:roles, ASA privilege model, WLC/IOS-XE GUI roles, etc.).

Today we’ll build platform-specific, reusable, and auditable Shell Profiles and bind them into Authorization Rules so your admins land with the right privilege/role, every time—across mixed fleets (Catalyst IOS-XE, NX-OS, ASA/FTD console, 9800 WLC).


Problem Statement

  • One size doesn’t fit all: IOS-XE cares about priv-lvl, NX-OS requires shell:roles, ASA has its own privilege tiers; returning the wrong attribute = wrong access.
  • Role drift & inconsistency: AD group “NetOps-Admin” should map to equivalent power on all platforms, but default Shell Profiles don’t translate automatically.
  • Audit & compliance: Auditors expect deterministic, human-readable mapping “AD Group → Role/Priv → Command Guardrails”.
  • Operational risk: Mis-mapped Shell Profiles cause over-privileged admins (dangerous) or under-privileged staff (tickets, delays).

Solution Overview

  • Use separate Shell Profiles per platform + role (e.g., SP-IOSXE-ADMIN, SP-NXOS-OPERATOR, SP-ASA-ADMIN).
  • Return native attributes:
    • IOS-XE / classic IOS / 9800 WLC CLIcisco-av-pair=priv-lvl=1…15 (or ISE “Default Privilege” set to 1/15).
    • NX-OSshell:roles=network-admin or network-operator (can be comma-separated for multiple roles).
    • ASApriv-lvl=1…15 (TACACS command auth must be enabled on ASA).
  • Bind Shell Profiles with Authorization Rules using AD group + Network Device Group (NDG:Device Type) to send the right attributes to the right device.
  • Pair with Command Sets for least-privilege command control + Accounting for per-command audit.

Sample Lab Topology

Platform: VMware (ISE PAN/MnT + PSN), EVE-NG (NADs), Windows 10 Admin VM.
Nodes (example):

  • ISE PAN/MnT/PSN: 10.10.10.10 (PAN/MnT), 10.10.10.11 (PSN Device Admin)
  • Catalyst 9300 (IOS-XE): 10.10.30.30
  • NX-OS vSwitch: 10.10.30.50
  • 9800-CL WLC (IOS-XE): 10.10.30.40
  • ASA (optional): 10.10.30.60
  • AD/LDAP: 10.10.20.20
  • Admin PC: 10.10.40.10

AD Groups:

  • NetOps-Admin (Full admin)
  • NetOps-NOC (Operator)
  • NetOps-RO (Read-only)

Topology Diagram :


Step GUI Configuration Guide (with CLI + validation)

A) Enable Device Admin & Add NADs

  1. Enable Device Administration
    • ISE GUI → Work Centers → Device Administration (ensure enabled).
    • [Screenshot: ISE Device Administration enablement]
  1. Add Network Device Groups (NDG)
    • Work Centers → Device Administration → Network Resources → Network Device Groups
    • Create: Device Type: IOSXE, NXOS, ASA, WLC. Location: LAB.
    • [Screenshot: NDG Creation]
  1. Add NADs
    • … → Network Devices → Add → set Name, IP, NDG:Device Type, TACACS+ shared secret.
    • [Screenshot: Add Network Device with TACACS settings]

B) Identity Source Sequence (AD→Internal fallback)

  1. Create ISS
    • Administration → Identity Management → Identity Source Sequences → Add
    • Name: ISS-AD-Internal → Order: Active Directory then Internal Users.
    • [Screenshot: ISS Config]

C) Build Shell Profiles (per platform + role)

Why split by platform? Returning shell:roles to IOS-XE or priv-lvl to NX-OS won’t work. Bind the correct attributes for each device family.

  1. IOS-XE Shell Profiles
    • Work Centers → Device Administration → Policy Elements → Results → TACACS Profiles → Shell Profiles → Add
    • SP-IOSXE-ADMIN
      • Default Privilege: 15
      • Advanced Attributes (optional redundancy): cisco-av-pair = priv-lvl=15
    • SP-IOSXE-NOC
      • Default Privilege: 7
      • cisco-av-pair = priv-lvl=7
    • SP-IOSXE-RO
      • Default Privilege: 1
      • cisco-av-pair = priv-lvl=1
    • [Screenshot: Shell Profile – IOS-XE Admin]
  1. NX-OS Shell Profiles
    • SP-NXOS-ADMIN
      • Advanced Attributes: shell:roles = network-admin
    • SP-NXOS-OPERATOR
      • shell:roles = network-operator
    • SP-NXOS-RO
      • shell:roles = network-operator (operator is RO-ish; pair with Command Set to fully restrict).
    • [Screenshot: Shell Profile – NX-OS Admin]
  2. ASA Shell Profiles (if using ASA)
    • SP-ASA-ADMINcisco-av-pair = priv-lvl=15
    • SP-ASA-OPERATORcisco-av-pair = priv-lvl=7
    • SP-ASA-ROcisco-av-pair = priv-lvl=1
    • [Screenshot: Shell Profile – ASA Admin]
  3. (Optional) WLC/IOS-XE GUI alignment
    • For 9800-CL, CLI access uses IOS-XE priv-lvl. For GUI role mapping, keep privilege consistent and apply Command Sets to govern changes via CLI.
    • [Screenshot: Shell Profile – WLC Operator]

D) Command Sets (complement Shell Profiles)

  1. Work Centers → Device Administration → Policy Elements → Results → Command Sets → Add
    • CS-RO → Permit ^show(\s+.*)?$, ^ping(\s+.*)?$, ^traceroute(\s+.*)?$; Deny ^conf, ^configure, ^write, ^reload, ^debug, ^clear
    • CS-NOC → Permit RO + ^configure terminal$, ^interface\s+\S+$, ^description\s+.*$; Deny high-risk (reload/erase/license/crypto/username…).
    • CS-ADMIN → Permit ^.*$ with guardrail denies (e.g., ^reload$) for safety.
    • [Screenshot: Command Set – RO/NOC/ADMIN]

E) Device Admin Policy Set

  1. Create Policy Set
    • Work Centers → Device Administration → Policy Sets → Add
    • Name: PS-DeviceAdmin
    • Condition: Protocol == TACACS
    • Allowed Protocols: Default Device Admin
    • Identity Source: ISS-AD-Internal
    • [Screenshot: Policy Set Conditions]
  2. Authorization Rules (order matters)
    • Rule 1: If NDG:Device Type == IOSXE AND AD-Group CONTAINS NetOps-AdminShell: SP-IOSXE-ADMIN + Command Set: CS-ADMIN
    • Rule 2: If NDG:Device Type == IOSXE AND AD-Group CONTAINS NetOps-NOCSP-IOSXE-NOC + CS-NOC
    • Rule 3: If NDG:Device Type == IOSXE AND AD-Group CONTAINS NetOps-ROSP-IOSXE-RO + CS-RO
    • Repeat three rules each for NXOS and ASA using platform-specific Shell Profiles.
    • Default: Deny or minimal privilege.
    • [Screenshot: Authorization Rules Matrix]
  3. Accounting
    • Enable TACACS command accounting in the Policy Set.
    • [Screenshot: Enable TACACS Accounting]

F) NAD (device) CLI & validation

IOS-XE (Cat9K)

conf t
aaa new-model
!
tacacs server ISE1
 address ipv4 10.10.10.11
 key TACACS-KEY-123
!
aaa group server tacacs+ ISE_TACACS
 server name ISE1
!
ip tacacs source-interface VlanMgmt
!
aaa authentication login VTY_AUTH group ISE_TACACS local
aaa authorization exec  VTY_AUTHZ group ISE_TACACS local
aaa authorization commands 15 VTY_CMDS group ISE_TACACS local
aaa accounting exec       VTY_ACCT start-stop group ISE_TACACS
aaa accounting commands 15 VTY_CMDS_ACCT start-stop group ISE_TACACS
!
line vty 0 4
 login authentication VTY_AUTH
 transport input ssh
!
username breakglass privilege 15 secret <STRONG_LOCAL>
end
write mem

Validate (IOS-XE):

test aaa group tacacs+ netops.ro <password> legacy
show aaa servers
show tacacs
debug tacacs events
debug tacacs authorization
terminal monitor
show privilege

NX-OS

conf t
tacacs-server host 10.10.10.11 key TACACS-KEY-123
aaa authentication login default group tacacs+ local
aaa authorization commands default group tacacs+ local
aaa accounting default group tacacs+
exit
show tacacs
show accounting log

Expect ISE to return shell:roles=network-admin or network-operator per rule.

ASA (optional)

aaa-server ISE-TACACS protocol tacacs+
aaa-server ISE-TACACS (mgmt) host 10.10.10.11 key TACACS-KEY-123
aaa authentication ssh console ISE-TACACS LOCAL
aaa authorization command ISE-TACACS LOCAL
aaa accounting command ISE-TACACS
show aaa-server

Expect ISE to return priv-lvl based on Shell Profile; ASA will perform command authorization.

G) End-to-End Test Matrix (execute & tick)

TestDeviceUser (AD Group)Expected ShellQuick CLI CheckISE Validation
1IOS-XEnetops.ro (RO)priv-lvl=1show privilege → 1; conf t deniedLive Logs: SP-IOSXE-RO + CS-RO
2IOS-XEnetops.noc (NOC)priv-lvl=7conf t OK; reload deniedSP-IOSXE-NOC + CS-NOC
3IOS-XEnetops.admin (Admin)priv-lvl=15conf t OK; copy run start OKSP-IOSXE-ADMIN + CS-ADMIN
4NX-OSnetops.roshell:roles=network-operatorlimited cmds; show roleSP-NXOS-RO
5NX-OSnetops.adminshell:roles=network-adminfull cmds; guardrails deny reloadSP-NXOS-ADMIN
6ASAnetops.ropriv-lvl=1config deniedSP-ASA-RO

Troubleshooting:

1. Common Issues & Fixes

IssueSymptomRoot CauseFix / Validation
Shell Profile not appliedUser logs in, but default privilege level (1) given instead of configured levelShell Profile not linked to Authorization PolicyGo to Policy > Device Admin > Policy Sets → Ensure correct Authorization Policy → Map Shell Profile. Validate with [Screenshot: ISE Policy Set Shell Profile Mapping].
Wrong privilege level (e.g., 1 instead of 15)User logged into router/switch only gets basic commandsIncorrect Priv-lvl attribute in Shell ProfileEdit Shell Profile → Add priv-lvl=15 under custom attributes → Save & re-test. CLI: debug tacacs on switch.
Authorization passed but commands deniedUser logged in, but certain commands rejectedShell Profile allows login level, but Command Set not assignedVerify Command Sets in ISE → Map to Authorization Policy along with Shell Profile.
Duplicate Shell Profiles in ISETwo profiles with similar names confuse mappingMisconfigured duplicates in GUIClean up: Delete duplicates → Reapply correct one in policy.
ISE Logs show “Authorization failed”User login rejectedPolicy conditions mismatch (AD group, user attribute)Go to Operations > TACACS > Live Logs. Verify matching conditions. CLI: show aaa sessions on switch.
Device not sending TACACS+ requestNo logs in ISEDevice AAA config missing TACACS+ or wrong keyCheck switch/router config: aaa new-modeltacacs-server host <ISE-IP> key <KEY>aaa authentication login default group tacacs+
ISE Policy Set not triggeredNo hit in TACACS+ PolicyDevice IP not in Network Device list or missing TACACS+ shared secretCheck Administration > Network Devices. Ensure correct IP, SNMP/TACACS+ shared secret.
Users from AD not matchedLogin rejectedAD join issueIn ISE: Administration > Identity Sources > Active Directory → Run Test Join.
ISE Down / Backup not workingDevice falls back to local loginAAA method list not configured with local fallbackOn device: aaa authentication login default group tacacs+ local
Slow loginsTACACS+ login takes several secondsLatency / DNS issueVerify latency with ping <ISE-IP> and DNS resolution. Use ISE node closer to device.

2. CLI Debug Commands (on Network Device)

Run these on IOS/IOS-XE/IOS-XR devices:

debug aaa authentication
debug aaa authorization
debug tacacs

Look for lines showing:

  • Which TACACS+ server was queried
  • Privilege level returned (priv-lvl=15)
  • Command authorization result (Permit/Deny)

3. ISE Log Validation

Path:
Operations > TACACS > Live Logs

Check:

  • User identity (AD/local)
  • Device IP
  • Policy Set hit
  • Authorization result (Permit/Deny)
  • Shell Profile name applied

4. Step-by-Step Troubleshooting Flow

  1. Verify AAA on Device
    • Ensure TACACS+ servers configured correctly
    • Test fallback with local user
  2. Check ISE Live Logs
    • Does the request reach ISE? If not → AAA issue
    • If yes, check Policy hit & Authorization profile
  3. Validate Shell Profile Mapping
    • Is Shell Profile assigned in the correct Authorization Rule?
  4. Validate Attributes
    • Inside Shell Profile, ensure priv-lvl=15 or custom attributes are correctly set.
  5. Re-test Login & Commands
    • Login with test user
    • Run privileged commands (show run, conf t)
    • Confirm authorization passes

5. Quick Lab Validation Checklist

  • TACACS+ configured on device with correct key
  • Device registered in ISE under Network Devices
  • User account exists (AD/Local)
  • Shell Profile created & mapped to Policy Set
  • Command Sets applied if needed
  • Logs confirm privilege level returned

FAQs – Customizing TACACS+ Shell Profiles

1. What is the role of a Shell Profile in TACACS+ with Cisco ISE?

Answer:
A Shell Profile defines what privilege level (0–15) and what custom attributes a user receives when they log into a network device. Without it, users may only get basic access (priv-level 1).

  • Example: A Shell Profile can grant priv-lvl=15 to a Network Admin group, while a Helpdesk group may only get priv-lvl=5.

Validation:

  • GUI: Go to Policy > Device Admin > Shell Profiles → Check attributes.
  • CLI: Log in with the user and run show privilege.

2. How do Shell Profiles differ from Command Sets in ISE?

Answer:

  • Shell Profiles: Decide the privilege level and session attributes (environment variables).
  • Command Sets: Define what commands are permitted or denied at that privilege level.

Validation Tip: Even with priv-lvl=15, if the Command Set blocks conf t, the user cannot configure the device.


3. Can I assign multiple Shell Profiles to a user?

Answer:
No. A single Authorization Policy Rule in ISE applies exactly one Shell Profile to the user’s session. If multiple rules match, only the first hit (top-down order) applies.

Best Practice: Create distinct rules for each AD group or role.


4. How do I map an AD group to a specific Shell Profile?

Answer:

  1. Integrate ISE with AD (Administration > Identity Sources > Active Directory).
  2. In Policy Sets > Device Admin, create an Authorization Rule where:
    • Condition = AD group membership (e.g., Domain Users: NetworkAdmins).
    • Result = Assign Shell Profile Admin_Priv15.

Validation:

  • GUI: Check Live Logs > TACACS+ → Authorization rule hit.
  • CLI: User login → show privilege.

5. Why does my Shell Profile not apply, and users always get priv-lvl 1?

Answer:

  • Policy set may not be matching.
  • Shell Profile not mapped in the Authorization Policy.
  • Wrong identity source used.

Fix:

  • Check Live Logs to confirm which policy rule was hit.
  • Reorder policy rules to ensure the correct one matches.

6. Can I create custom attributes inside Shell Profiles?

Answer:
Yes. Cisco ISE allows you to define attributes such as:

  • priv-lvl=15 (common)
  • idle-timeout=600 (custom session timeout)
  • cmd=show (allow specific commands if integrated with Command Sets)

GUI: Inside Shell Profile → Custom Attributes → Add new key-value.
Validation: Device debugs (debug tacacs) show which attributes are received.


7. What’s the difference between Shell Profiles for IOS vs. ASA vs. NX-OS?

Answer:

  • IOS/IOS-XE: Standard priv-lvl attribute works.
  • NX-OS: Uses roles (e.g., network-admin, network-operator) instead of privilege levels. ISE Shell Profile must send role=network-admin.
  • ASA: Uses privilege levels + command authorization.

Validation: Test with different devices and verify behavior with show privilege (IOS), show role (NX-OS), show curpriv (ASA).


8. How do I troubleshoot Shell Profile mismatches?

Answer:

  • On device: Run debug tacacs → Check what ISE sends.
  • On ISE: Operations > TACACS > Live Logs → Check Shell Profile applied.
  • Ensure Network Device config in ISE has correct TACACS+ shared secret.

Checklist:

  • Is device registered in ISE?
  • Is policy rule hit?
  • Is Shell Profile mapped?

9. Can I use fallback Shell Profiles if ISE is unavailable?

Answer:
No. If ISE is down, the device falls back to local user accounts (if configured). Shell Profiles are only applied if ISE responds.

Device Config Best Practice:

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

This ensures admins can log in locally if ISE is unavailable.


10. How do I validate that the correct Shell Profile is applied?

Answer:

  • GUI Validation:
    • Go to Operations > TACACS > Live Logs → Confirm Authorization Rule and Shell Profile Name.
  • CLI Validation (on device):
    • Log in with test user.
    • Run show privilege (IOS), show role (NX-OS), show curpriv (ASA).
    • If configured correctly, it should match the intended Shell Profile.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes

  • Shell Profiles are platform-native authority: send the attribute the device understands.
  • Separate by platform and role, bind with NDG + AD group conditions.
  • Pair with Command Sets to enforce least privilege beyond basic priv levels.
  • Validate both ends: device CLI (show privilege, show tacacs, debugs) and ISE Live Logs/Reports.

Upgrade Your Skills – Start Today

“For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes.”

Fast-Track to Cisco ISE Mastery Pro (4-month ILT)
Hands-on ISE from fundamentals → TrustSec → pxGrid → Automation → Device Admin. Production-grade labs, troubleshooting bible, and career-ready runbooks.

Course outline & enrollment: https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088