Solved: ISE 2.3 device administration with RSA and Internal

bfoulks · ‎04-17-2018

Hello,

I am installing ISE 2.3. We have a requirement to utilize the internal user database for READWRITE access and the RSA 2FA for the READONLY to our cisco environment. I was able to do this on my other network with ACS, but a can't figure out how to on ISE. I know it has to do with the device admin policy set, but I just cant figure it out. Any help would be greatly appreciated.

bfoulks · ‎04-18-2018

So based on your link, I was able to work out what 2.3 was looking for. I had to create an authentication rule tied to a condition using the tacacs:user tied to internal and then the default tied to RSA. I then created the two authorization polices one using a internal condition for the R/W and the network_authentication_passed condition for the RSA for R/O.

Thanks Nidhi for pointing me in the right direction .

View solution in original post

Nidhi · ‎04-17-2018

You might want to look at this thread here - Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

bfoulks · ‎04-18-2018

Thank you for the response. That looks similar to how I did it is ACS. Can you help clarify what it would look like in 2.3? I am very confused by its logic and design requirements.

bfoulks · ‎04-18-2018

So based on your link, I was able to work out what 2.3 was looking for. I had to create an authentication rule tied to a condition using the tacacs:user tied to internal and then the default tied to RSA. I then created the two authorization polices one using a internal condition for the R/W and the network_authentication_passed condition for the RSA for R/O.

Thanks Nidhi for pointing me in the right direction .

Jason Kunst · ‎04-18-2018

Would be great if you can share your notes with the community ☺

Thanks!