https://community.cisco.com/t5/network-access-control/query-on-ips-authentication-with-cisco-ise/m-p/4443100#M568821 <P>Hello,</P><P><BR />1.Is it possible to have RADIUS authentication enabled for the IPS device which comes within the subnet and which is already onboarded in ISE for TACACS authentication. Yes it's possible</P><P><BR />2.If yes do I need to onboard the IPS devices separately? Again yes you should create a network device for these 2 ips as <STRONG><FONT color="#FF0000">/32</FONT></STRONG> for radius with the preshared key.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="IIS.JPG" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/126862i4ED955FFA95D6B81/image-size/medium?v=v2&amp;px=400" role="button" title="IIS.JPG" alt="IIS.JPG" /></span></P><P> </P><P>3.If I onboard the IPS separately will ISE allow me to Onboard the devices? since it is already a part of the subnet and will it consider to be a duplicate one? <STRONG>In your case</STRONG> ISE will not complain about the duplication creation as long as the NAD will be declared as /32.</P><P>&nbsp;</P><P>Hope that helps!</P> Mon, 02 Aug 2021 21:45:56 GMT Amine ZAKARIA 2021-08-02T21:45:56Z https://community.cisco.com/t5/network-access-control/query-on-ips-authentication-with-cisco-ise/m-p/4443060#M568818 <P>Hello ,</P><P>&nbsp;</P><P>We have an entire subnet onboarded for TACACS authentication and within that subnet we have IPS devices which requires a RADIUS authentication.</P><P>&nbsp;</P><P>Version and patch : V 2.4.0.357 Patch 13</P><P>&nbsp;</P><P>Query :</P><P>&nbsp;</P><OL><LI>Is it possible to have RADIUS authentication enabled for the IPS device which comes within the subnet and which is already onboarded in ISE for TACACS authentication.</LI><LI>If yes do I need to onboard the IPS devices separately?</LI><LI>If I onboard the IPS separately will ISE allow me to Onboard the devices? since it is already a part of the subnet and will it consider to be a duplicate one?</LI></OL><P>&nbsp;</P><P>Example :</P><P>&nbsp;</P><P>Subnet onboarded for ISE TACACS is 10.2.2.0/24 , IPS IP's are&nbsp;10.2.2.2 and&nbsp;<SPAN>10.2.2.3.</SPAN></P><P>&nbsp;</P><P><SPAN>Now I need to onboard the IPS devices10.2.2.2 and&nbsp;10.2.2.3 (RADIUS Authentication) but&nbsp;10.2.2.0/24 is already in ISE for TACACS authentication.</SPAN></P><P>&nbsp;</P><P><SPAN>Kindly help me with this scenario.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Aug 2021 20:22:26 GMT https://community.cisco.com/t5/network-access-control/query-on-ips-authentication-with-cisco-ise/m-p/4443060#M568818 kirubashankarr 2021-08-02T20:22:26Z https://community.cisco.com/t5/network-access-control/query-on-ips-authentication-with-cisco-ise/m-p/4443100#M568821 <P>Hello,</P><P><BR />1.Is it possible to have RADIUS authentication enabled for the IPS device which comes within the subnet and which is already onboarded in ISE for TACACS authentication. Yes it's possible</P><P><BR />2.If yes do I need to onboard the IPS devices separately? Again yes you should create a network device for these 2 ips as <STRONG><FONT color="#FF0000">/32</FONT></STRONG> for radius with the preshared key.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="IIS.JPG" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/126862i4ED955FFA95D6B81/image-size/medium?v=v2&amp;px=400" role="button" title="IIS.JPG" alt="IIS.JPG" /></span></P><P> </P><P>3.If I onboard the IPS separately will ISE allow me to Onboard the devices? since it is already a part of the subnet and will it consider to be a duplicate one? <STRONG>In your case</STRONG> ISE will not complain about the duplication creation as long as the NAD will be declared as /32.</P><P>&nbsp;</P><P>Hope that helps!</P> Mon, 02 Aug 2021 21:45:56 GMT https://community.cisco.com/t5/network-access-control/query-on-ips-authentication-with-cisco-ise/m-p/4443100#M568821 Amine ZAKARIA 2021-08-02T21:45:56Z https://community.cisco.com/t5/network-access-control/query-on-ips-authentication-with-cisco-ise/m-p/4444399#M568855 <P>RADIUS and TACACS are separate protocols supported by ISE.</P> <P>You may individually enable each protocol per device or device subnet under Administration &gt; Network Resources &gt; Network Devices:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/127071iAEAA5A2845654A72/image-size/medium?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> <P>To "onboard" the devices for RADIUS you would simply check the box in your device subnet configuration in ISE as shown above and provide the RADIUS shared secret similar to what you did with TACACS.</P> Wed, 04 Aug 2021 18:27:11 GMT https://community.cisco.com/t5/network-access-control/query-on-ips-authentication-with-cisco-ise/m-p/4444399#M568855 thomas 2021-08-04T18:27:11Z