topic Re: ISE 2.3 device administration with RSA and Internal in Network Access Control

ISE 2.3 device administration with RSA and Internal

bfoulks — Tue, 17 Apr 2018 23:00:17 GMT

Hello,

I am installing ISE 2.3. We have a requirement to utilize the internal user database for READWRITE access and the RSA 2FA for the READONLY to our cisco environment. I was able to do this on my other network with ACS, but a can't figure out how to on ISE. I know it has to do with the device admin policy set, but I just cant figure it out. Any help would be greatly appreciated.

Re: ISE 2.3 device administration with RSA and Internal

Nidhi — Wed, 18 Apr 2018 05:09:01 GMT

You might want to look at this thread here - Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

Re: ISE 2.3 device administration with RSA and Internal

bfoulks — Wed, 18 Apr 2018 13:05:53 GMT

Thank you for the response. That looks similar to how I did it is ACS. Can you help clarify what it would look like in 2.3? I am very confused by its logic and design requirements.

Re: ISE 2.3 device administration with RSA and Internal

bfoulks — Wed, 18 Apr 2018 15:54:34 GMT

So based on your link, I was able to work out what 2.3 was looking for. I had to create an authentication rule tied to a condition using the tacacs:user tied to internal and then the default tied to RSA. I then created the two authorization polices one using a internal condition for the R/W and the network_authentication_passed condition for the RSA for R/O.

Thanks Nidhi for pointing me in the right direction .

Re: ISE 2.3 device administration with RSA and Internal

Jason Kunst — Wed, 18 Apr 2018 16:07:44 GMT

Would be great if you can share your notes with the community ☺

Thanks!