topic Re: Device Administration using RADIUS Cisco ISE 2.3 in Network Access Control

Device Administration using RADIUS Cisco ISE 2.3

Arie -- — Fri, 21 Feb 2020 18:43:17 GMT

Hi,

Is it possible using ISE 2.3 as AAA for device administration with RADIUS protocol instead of TACACS+?

If I only enable Device Admin Service in ISE Policy Service, can I use RADIUS for authentication and authorization for network device login?

If that is possible, can you share me the guide of how to configure in ISE 2.3 and in network device (let says it is Cisco Switch)?

So far, I tested in Cisco Switch by using test aaa command, but there is no any log recorded in Cisco ISE. I'm afraid that something configuration is missing in ISE so that the switch can't contact to ISE using RADIUS protocol.

Thank you

Arie

Re: Device Administration using RADIUS Cisco ISE 2.3

Ben Walters — Thu, 11 Jan 2018 17:35:01 GMT

This guide should help you for network devices, there is also a chapter that covers configuring RADIUS.

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html#wp1001032

Once you get the switch configured properly to contact your ISE server with requests you should be able to create rules for what you need to do.

As a general rule the authentication protocol is going to be PAP, and the attribute details should look like this for the authorization profile.

Access Type = ACCESS_ACCEPT
Service-Type = 6
cisco-av-pair = shell:priv-lvl=15

Other than that you just need to create authentication and authorization rules to match the type of authentication you are doing. (AD, local, etc.)

Hopefully this gives you a good start on what is needed.

Re: Device Administration using RADIUS Cisco ISE 2.3

Arie -- — Fri, 12 Jan 2018 06:16:00 GMT

Hi,

Before I jump in to configuration, I test if the port 1812 and 1813 between switch and ISE is open or not.

Using N7K, I telnet to ISE server and with port 1812 but the connection is timed out (not open). No firewall between N7K and ISE. However, when I check with port 49 (TACACS+), it's open.

I'm afraid that there is something missing with ISE configuration for RADIUS port 1812 and 1813.

Re: Device Administration using RADIUS Cisco ISE 2.3

Marvin Rhoads — Fri, 12 Jan 2018 08:27:11 GMT

If it's a multi-node deployment, be sure to perform your check for RADIUS services against the Policy Service Node(s) (PSNs).

You can check your ISE PSN nodes for the listener from the cli with

tech netstat | i 1812
tech netstat | i 1813

Re: Device Administration using RADIUS Cisco ISE 2.3

Octavian Szolga — Fri, 12 Jan 2018 08:45:49 GMT

Hi,

Tacacs is TCP based.

Radius is UDP - no telnet check....

If you want to check radius connectivity between NAD and ISE just do a #test aaa ....

Thanks,

Octavian

Re: Device Administration using RADIUS Cisco ISE 2.3

Arie -- — Fri, 12 Jan 2018 08:47:48 GMT

Hi,

In the Policy Service Node Deployment, I only check Device Admin Service

How to enable RADIUS service?

Also, I tried with the CLI command but nothing to show.

Thank you

Arie

Re: Device Administration using RADIUS Cisco ISE 2.3

Arie -- — Fri, 12 Jan 2018 08:49:09 GMT

Hi,
I see. So that's why I can't check with telnet.
And then, how to make sure that RADIUS service is enabled in ISE?

Thank you
Arie

Re: Device Administration using RADIUS Cisco ISE 2.3

Octavian Szolga — Fri, 12 Jan 2018 09:57:53 GMT

Hi,

Enable Session services.

Device administration refers strictly to TACACS.

Regards,

Octavian

Re: Device Administration using RADIUS Cisco ISE 2.3

Arie -- — Sat, 13 Jan 2018 09:35:04 GMT

Hi,

I have enable Session Service and I already see the 1812 and 1813 port on netstat

I will continue to policy sets configuration

Re: Device Administration using RADIUS Cisco ISE 2.3

Arie -- — Sat, 13 Jan 2018 09:46:28 GMT

Hi,
Btw, the authentication and authorization has successfully work. If I'm using RADIUS, can I see the accounting? Where can I find the RADIUS accounting report?

Thanks
Arie