Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

513
Views
0
Helpful
4
Replies
JaVa808
JaVa808 Beginner
Beginner
‎02-24-2019 02:34 PM
‎02-24-2019 02:34 PM

How to setup PKI Token login onto Network devices with ISE

We are currently testing PKI on a device which seems to work successfully. 

  • Used the trial for Pragmasys
  • Installed Self-Assigned certificate 

But what seemed to have broke was it logging the session onto ISE and now our ACAS Scanning failed credential scanning on it. Being a novice with ISE, how would I go about fixing this? 

 

Has anyone else gone this route of doing PKI on Networking Devices with ISE?

0 Helpful
Reply
4 REPLIES 4
howon
howon Cisco Employee
Cisco Employee
‎03-05-2019 10:36 AM
‎03-05-2019 10:36 AM

Re: How to setup PKI Token login onto Network devices with ISE

Can you elaborate on the use case on how PKI and ISE is used? Is this for Web authentication to a portal or is this for 802.1X?

0 Helpful
Reply
JaVa808
JaVa808 Beginner
Beginner
‎03-20-2019 08:03 PM
‎03-20-2019 08:03 PM

Re: How to setup PKI Token login onto Network devices with ISE

Apologies for the delayed response but here is more information to the original question. Need to log into network devices including ISE Admin portal with PKI/Token. 

We discovered two things when we implemented Pragmasys on a catalyst 2960 switch:

1. It wouldn't no longer rely on TACACS because after the successful login with PKI, it did not show up in TACACS Log 

1a. This would break the ACAS/Nessus scanning which also uses TACACS. 

2. In two attempts of enabling certificate login instead of username and password, we are successful in getting ISE to prompt for a PIN when my PKI is inserted. PIN seems successful because we then see the warning banner configured. and two button's displayed below: Continue | Close. 

Selecting Continue brings up a blank white screen. Not sure how to move forward.

Since then we have reverted the changes and currently log in with username and password. 

0 Helpful
Reply
Mike.Cifelli
Mike.Cifelli Rising star
Rising star
‎03-05-2019 11:10 AM
‎03-05-2019 11:10 AM

Re: How to setup PKI Token login onto Network devices with ISE

I assume that you are talking about using TACACS+ for device administration. For things such as ACAS you can create a local service account and give the username/pass to your ACAS admin. You can then under your authorization policies set something up like this:

Rule name: Service_Accounts; Conditions= IF internaluser: identity group EQUALS User Identity Groups: YOUR SERVICE ACCOUNT GROUPNAME RESULT shell profile with whatever priv.

Then create separate shell profiles and then reference them in the results. Depending on the requirements you can create one that allows READ only. Obviously this all depends on your requirements.

Where to go to configure users, user groups, and shell profiles:
Administration->Identities->Users
Administration->Identities->User Identity Groups
Work Centers->Device Administration->Policy Elements->TACACS Profiles

HTH!

0 Helpful
Reply
Highlighted
JaVa808
JaVa808 Beginner
Beginner
‎03-20-2019 08:06 PM
‎03-20-2019 08:06 PM

Re: How to setup PKI Token login onto Network devices with ISE

We could try and test this. Let me check with team if we still have a test window. Will keep you posted on this. 

Thanks!

0 Helpful
Reply
Latest Contents
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 11:00 AM
0
0
0
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 10:55 AM
0
0
0
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
ISE My Devices & Sponsor Portal as a User Change Password Po...
Created by Jason Kunst on 12-05-2019 10:24 AM
0
0
0
0
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP) What are the licensing requirements for this solution? My Devices - For using the password change with My Devices you need plus licenses as ... view more
WHITEPAPER - Firepower Threat Defense Cloud Management with ...
Created by Marvin Rhoads on 11-29-2019 07:57 PM
0
10
0
10
  Overview   In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging. We will use the following Cisco products: Fu... view more
CreatePlease to create content
Discussion
Blog
Document
Video