Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2209
Views
0
Helpful
4
Replies

How to setup PKI Token login onto Network devices with ISE

JaVa808
Level 1
Level 1

‎02-24-2019 02:34 PM - edited ‎02-21-2020 11:02 AM

We are currently testing PKI on a device which seems to work successfully. 

  • Used the trial for Pragmasys
  • Installed Self-Assigned certificate 

But what seemed to have broke was it logging the session onto ISE and now our ACAS Scanning failed credential scanning on it. Being a novice with ISE, how would I go about fixing this? 

 

Has anyone else gone this route of doing PKI on Networking Devices with ISE?

0 Helpful
4 Replies 4

howon
Cisco Employee
Cisco Employee

‎03-05-2019 10:36 AM

Can you elaborate on the use case on how PKI and ISE is used? Is this for Web authentication to a portal or is this for 802.1X?

0 Helpful

JaVa808
Level 1
Level 1
In response to howon

‎03-20-2019 08:03 PM

Apologies for the delayed response but here is more information to the original question. Need to log into network devices including ISE Admin portal with PKI/Token. 

We discovered two things when we implemented Pragmasys on a catalyst 2960 switch:

1. It wouldn't no longer rely on TACACS because after the successful login with PKI, it did not show up in TACACS Log 

1a. This would break the ACAS/Nessus scanning which also uses TACACS. 

2. In two attempts of enabling certificate login instead of username and password, we are successful in getting ISE to prompt for a PIN when my PKI is inserted. PIN seems successful because we then see the warning banner configured. and two button's displayed below: Continue | Close. 

Selecting Continue brings up a blank white screen. Not sure how to move forward.

Since then we have reverted the changes and currently log in with username and password. 

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-05-2019 11:10 AM

I assume that you are talking about using TACACS+ for device administration. For things such as ACAS you can create a local service account and give the username/pass to your ACAS admin. You can then under your authorization policies set something up like this:

Rule name: Service_Accounts; Conditions= IF internaluser: identity group EQUALS User Identity Groups: YOUR SERVICE ACCOUNT GROUPNAME RESULT shell profile with whatever priv.

Then create separate shell profiles and then reference them in the results. Depending on the requirements you can create one that allows READ only. Obviously this all depends on your requirements.

Where to go to configure users, user groups, and shell profiles:
Administration->Identities->Users
Administration->Identities->User Identity Groups
Work Centers->Device Administration->Policy Elements->TACACS Profiles

HTH!

0 Helpful

JaVa808
Level 1
Level 1
In response to Mike.Cifelli

‎03-20-2019 08:06 PM

We could try and test this. Let me check with team if we still have a test window. Will keep you posted on this. 

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents