Implementing and Configuring Cisco Identity Services Engine (SISE) — Question 264

An administrator must configure Cisco ISE to authenticate the administrative superuser to manage a Cisco Adaptive Security Appliance firewall. The solution must meet the requirements:

• The user must be authenticated against Microsoft AD.
• The user must have full management administrative access to the Cisco Adaptive Security Appliance firewall.
• The user must not use the enable command.

The configurations were performed:

• joined Cisco ISE to AD and retrieved AD groups
• added the Cisco Adaptive Security Appliance firewall
• enabled Device Admin Service in Cisco ISE
• configured TACACS command sets
• configured a TACACS profile
• configured an authorization policy
• configured the Cisco Adaptive Security Appliance firewall for authentication and authorization

Which two actions must be performed in Cisco ISE? (Choose two.)

Answer options

• A. Configure an authentication profile on Cisco ISE.
• B. Set Default Privilege to 1 and Maximum Privilege to 15 in the TACACS profile.
• C. Add all authorized admin commands to the TACACS profile.
• D. Set Default Privilege to 15 and Maximum Privilege to 15 in the TACACS profile.
• E. Select "Permit any command that is not listed below" in the TACACS profile.

Correct answer: D, E

Explanation

The correct answer is D and E because setting both Default Privilege and Maximum Privilege to 15 in the TACACS profile allows full administrative access without enabling the command, fulfilling the requirement. Option B is incorrect as it restricts privileges, while options A and C do not specifically address the privilege configuration needed for this scenario.