https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3832897#M474123 <P>Well Prime is causing an authentication event on the NAS, so in reality it's not Prime's issue - you need to configure the NAS to first perform local auth, then TACACS.&nbsp; But if the NAS will always do TACACS first and local user only if AAA is down, then you have no hope to avoid the AAA call.&nbsp; You could put the use in the ISE Identity Group to avoid an AD/LDAP lookup.</P> <P>&nbsp;</P> <P>On Cisco WLC you can set the order to be LOCAL, then TACACS.&nbsp; That would solve your issue. But it opens up a security issue because users can then bypass your TACACS server by creating their own accounts - and then TACACS doesn't log the commands,etc.&nbsp; Bad practice. Avoid that.</P> <P>&nbsp;</P> <P>If the issue is that you don't want to see these events in LiveLogs then you can enable a Collection Filter to remove the events from the Logs (and reports too).&nbsp;&nbsp;</P> <P>Administration -&gt; System -&gt; Logging -&gt; Collection Filters</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="collection filet.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/33655i4CA7652DC8773C1F/image-size/large?v=v2&amp;px=999" role="button" title="collection filet.PNG" alt="collection filet.PNG" /></span></P> Fri, 05 Apr 2019 11:19:26 GMT Arne Bier 2019-04-05T11:19:26Z https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3832830#M474122 <P>Hi Team,</P> <P>&nbsp;</P> <P>Have a query regrading exclusion for Cisco Prime user request(auth/authz) to ISE nodes.</P> <P>&nbsp;</P> <P>CU is having the Cisco Prime into network for monitoring/config change. Prime have the level 15 admin user which auth/authz on every network device(20K) and pull the required info that creates huge requests on ISE.&nbsp;</P> <P>Can be a way to exclude the specific user or Prime IP exclusion on ISE to proceed further for auth/authz requests to minimise the overhead.&nbsp;</P> <P>&nbsp;</P> Fri, 05 Apr 2019 09:46:41 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3832830#M474122 sondevi 2019-04-05T09:46:41Z https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3832897#M474123 <P>Well Prime is causing an authentication event on the NAS, so in reality it's not Prime's issue - you need to configure the NAS to first perform local auth, then TACACS.&nbsp; But if the NAS will always do TACACS first and local user only if AAA is down, then you have no hope to avoid the AAA call.&nbsp; You could put the use in the ISE Identity Group to avoid an AD/LDAP lookup.</P> <P>&nbsp;</P> <P>On Cisco WLC you can set the order to be LOCAL, then TACACS.&nbsp; That would solve your issue. But it opens up a security issue because users can then bypass your TACACS server by creating their own accounts - and then TACACS doesn't log the commands,etc.&nbsp; Bad practice. Avoid that.</P> <P>&nbsp;</P> <P>If the issue is that you don't want to see these events in LiveLogs then you can enable a Collection Filter to remove the events from the Logs (and reports too).&nbsp;&nbsp;</P> <P>Administration -&gt; System -&gt; Logging -&gt; Collection Filters</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="collection filet.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/33655i4CA7652DC8773C1F/image-size/large?v=v2&amp;px=999" role="button" title="collection filet.PNG" alt="collection filet.PNG" /></span></P> Fri, 05 Apr 2019 11:19:26 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3832897#M474123 Arne Bier 2019-04-05T11:19:26Z https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3833974#M474192 <P>Hi Arne,</P> <P>&nbsp;</P> <P>Thanks for highlighting the use of Collection filter, can be a use case for CU for prime live logs filtering.</P> <P>WLC is not a case as CU using TACACS feature only. In this case, I am not sure if only prime user can be filtered as Local auth on NAD devices. more looking on ISE side, can be a way to filter prime user authentication and should not be entertained/directly bypassed for authorization requests.</P> <P>&nbsp;</P> Mon, 08 Apr 2019 06:06:47 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3833974#M474192 sondevi 2019-04-08T06:06:47Z https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3834195#M474193 <P>I don't quite follow what you've just written.&nbsp; But when you say "bypassed" then you surely mean "do not use TACACS at all".&nbsp; If your NAS sends a TACACS request to ISE then there is no concept of bypassing.&nbsp; ISE has to process the request.&nbsp; You can chose to authenticate locally (ISE internal user) - that is the only "optimisation"you can do.</P> Mon, 08 Apr 2019 12:47:06 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3834195#M474193 Arne Bier 2019-04-08T12:47:06Z https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3834341#M474194 <P>Hi Arne, thanks for more input. was looking that can bypass specific username or not on ISE.</P> Mon, 08 Apr 2019 15:56:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-authz-rules-query/m-p/3834341#M474194 sondevi 2019-04-08T15:56:59Z