Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ISE and AAA configuration

Hi Guys,

I am using ISE only one server as primary and as cisco says it has functionality of (ACS+ NAC). I  want to enable AAA services on the  ISE box rightnow.

I used the ACS earlier and want to configure the same functions on it.

Authentication of devices from ISE when remote login to router/switches/firewalls.

Authorization of commands form ISE based on user login

Accounting of command and login and logout details of user.

I have very basic knowledge in ISE but i used ACS througly.

Please Help  in the above issue.

Thanks in Advance

Regards

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

ISE and AAA configuration

You probably used TACACS+ with your ACS; you can't migrate that functionality to ISE as the ISE doesn't support TACACS+. You have to keep the device-admin-stuff on the ACS.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
6 REPLIES
VIP Purple

ISE and AAA configuration

You probably used TACACS+ with your ACS; you can't migrate that functionality to ISE as the ISE doesn't support TACACS+. You have to keep the device-admin-stuff on the ACS.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

ISE and AAA configuration

Hi Karsten,

Thanks for the reply. Will it possible to configure, authenticaiton s of devices form ISE. Lets say when i SSH to the device it asks username and password form ISE database.

VIP Purple

ISE and AAA configuration

Yes, the Authentication can be done with RADIUS. But all your Authorization-stuff is highly limited. Let's hope for an ISE with TACACS+ sometime in the future ...


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

ISE and AAA configuration

Can you give any link where is shows TACACS is not supported.

Can you tell where need to enable these settings for AAA services.

Thanks in advance

Re: ISE and AAA configuration

Faisal,

When you enter the network device in ise, you will see under the authentication setting that there is no entry for a tacacs shared secret.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_network_devices.html

You can get an answer through your Cisco account team on a tentative timeline on when tacacs will be released.

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
VIP Purple

Re: ISE and AAA configuration

Can you give any link where is shows TACACS is not supported.

You find that amongst others in the Q&A:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html

Can you tell where need to enable these settings for AAA services.

That's a quite complex thing ... Best you start with the ISE policies:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html

Then look at the ACS migration-tool:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/migration_guide/ise104_mig_book.html

But don't expect that the tool will migrate your ACS-policies in a usefull way ... There is much handwork involved to end with a good ISE-policy.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1187
Views
0
Helpful
6
Replies
CreatePlease to create content