) then you would tell Nessus to scan all devices using username admin_ro. If you didn't have TACACS+ and you had local user in all of your network devices (e.g. And that is the only reason we're having this discussion. It's a great thing that all of your network devices are under TACACS+ management. There is no integration between ISE and Nessus. Your job will be to return the read-only attributes to the Cisco devices when user svc-tenable (or a member of a specific AD Group) performs a TACACS+ authentication, You could also achieve the same with an internal ISE Account - but keep things consistent if yoru TACACS+ is already checking AD for authentications. svc-tenable) that they can configure into their scanner, that will then go around all your Cisco devices and log in with read-only privileges. So in summary, they want a new user account in AD (e.g. I did a quick check on the T enable website for examples of Cisco IOS Scans And if the service account lives in AD, then ISE will authenticate the account in AD and your Policy Authorization Rule should check which AD Security Group the service account belongs to, and then return the appropriate TACACS+ Privilege Level. but TACACS+ is usually used for device admin) ISE will have to process that service account. And since ISE is your TACACS+ server (I am assuming here. Unless I am mistaken, what they are referring to is, that you create a service account (an account not to be used by a human) that allows a service (Nessus, in this case) to log into network devices (WLC, switches, etc.) that are using TACACS+ for their device authentication. Logging into the ISE nodes to perform a scan using read only doesn't make sense - there is no such thing. They are looking for open ports and vulnerabilities. You can of course run a Nessus Vulnerability scan against any device on the network and they have probably already done that to ISE. I would doubt that they meant they wanted to scan the ISE devices (i.e.