cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

508
Views
0
Helpful
4
Replies
Beginner

How to setup PKI Token login onto Network devices with ISE

We are currently testing PKI on a device which seems to work successfully. 

  • Used the trial for Pragmasys
  • Installed Self-Assigned certificate 

But what seemed to have broke was it logging the session onto ISE and now our ACAS Scanning failed credential scanning on it. Being a novice with ISE, how would I go about fixing this? 

 

Has anyone else gone this route of doing PKI on Networking Devices with ISE?

4 REPLIES 4
Cisco Employee

Re: How to setup PKI Token login onto Network devices with ISE

Can you elaborate on the use case on how PKI and ISE is used? Is this for Web authentication to a portal or is this for 802.1X?

Beginner

Re: How to setup PKI Token login onto Network devices with ISE

Apologies for the delayed response but here is more information to the original question. Need to log into network devices including ISE Admin portal with PKI/Token. 

We discovered two things when we implemented Pragmasys on a catalyst 2960 switch:

1. It wouldn't no longer rely on TACACS because after the successful login with PKI, it did not show up in TACACS Log 

1a. This would break the ACAS/Nessus scanning which also uses TACACS. 

2. In two attempts of enabling certificate login instead of username and password, we are successful in getting ISE to prompt for a PIN when my PKI is inserted. PIN seems successful because we then see the warning banner configured. and two button's displayed below: Continue | Close. 

Selecting Continue brings up a blank white screen. Not sure how to move forward.

Since then we have reverted the changes and currently log in with username and password. 

Rising star

Re: How to setup PKI Token login onto Network devices with ISE

I assume that you are talking about using TACACS+ for device administration. For things such as ACAS you can create a local service account and give the username/pass to your ACAS admin. You can then under your authorization policies set something up like this:

Rule name: Service_Accounts; Conditions= IF internaluser: identity group EQUALS User Identity Groups: YOUR SERVICE ACCOUNT GROUPNAME RESULT shell profile with whatever priv.

Then create separate shell profiles and then reference them in the results. Depending on the requirements you can create one that allows READ only. Obviously this all depends on your requirements.

Where to go to configure users, user groups, and shell profiles:
Administration->Identities->Users
Administration->Identities->User Identity Groups
Work Centers->Device Administration->Policy Elements->TACACS Profiles

HTH!

Beginner

Re: How to setup PKI Token login onto Network devices with ISE

We could try and test this. Let me check with team if we still have a test window. Will keep you posted on this. 

Thanks!