topic Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control in Network Access Control

Integration od ISE to existing ACS for role based access (Admin, Supprot user etc) control

Jay Tiwari — Fri, 14 Dec 2018 05:29:45 GMT

Hi Guys,

My customer wants to integrate ISE to existing ACS for role based access (Admin, Supprot etc) control. Though i don’t see the way to do such thing because there is no AV-Pair which can do ISE access control with ACS, however, still want to hear if anyone came across such requirement.

Re: Integration od ISE to existing ACS for role based access (Admin, Supprot user etc) control

Jason Kunst — Fri, 14 Dec 2018 13:15:16 GMT

I don’t understand the use case and need more details

ISE replaces ACS . Acs is going away

Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control

hslai — Mon, 17 Dec 2018 01:39:20 GMT

If I understood it correctly, ISE may use ACS as a RADIUS token server and use that as the authentication source for ISE admin users for ISE admin web portal. However, ISE needs internal shadow admin users defined and associated with the desired admin groups, because ISE performs external authentication but internal authorization for such use case. See Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization

Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control

Nadav — Sat, 22 Dec 2018 15:49:25 GMT

For ISE 2.4 and above (I'm not famliar with older versions):

When creating external admin groups, you just point your custom group at the external identity group of your choice and it dynamically checks it via Kerberos/LDAPS with each authentication. You don't need to create a shadow admin user.

Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control

hslai — Sat, 22 Dec 2018 18:57:10 GMT

Nadav is correct regarding AD/LDAP/ODBC ID sources for external admins. However, RSA or other RADIUS token servers (ACS in this case) are treated differently and require internal admin users shadowing the same usernames and assigned to the desired admin user groups in order to authorize appropriately.

Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control

Nadav — Sat, 22 Dec 2018 19:22:45 GMT

Any reason why not just duplicate the administration policy from ACS into ISE? ACS is deprecated afterall, it shouldn't become a dependancy for an ISE deployment.

Is is a cross-domain issue?

Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control

hslai — Sun, 23 Dec 2018 04:33:34 GMT

Not sure. It could be not knowing the passwords of all the admin users.

Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control

Jay Tiwari — Sun, 23 Dec 2018 12:12:15 GMT

Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.

Re: Integration ISE to existing ACS for role based access (Admin, Supprot user etc) control

CSCO12058043 — Fri, 10 Apr 2020 21:05:55 GMT

Hi Jatiwari

Can you please confirm the steps you took to make this integration with ACS for Admin access to ISE configuration , We have a similar requirement.

@Jay Tiwari wrote:
Thanks Guys...Integrated ACS with ISE as RADIUS TOKEN identity server and its working as expected.