cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

327
Views
4
Helpful
4
Replies
Highlighted
Enthusiast

ISE 2.3 device administration with RSA and Internal

Hello,

I am installing ISE 2.3.  We have a requirement to utilize the internal user database for READWRITE access and the RSA 2FA for the READONLY to our cisco environment.  I was able to do this on my other network with ACS, but a can't figure out how to on ISE.  I know it has to do with the device admin policy set, but I just cant figure it out.  Any help would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Re: ISE 2.3 device administration with RSA and Internal

So based on your link, I was able to work out what 2.3 was looking for.  I had to create an authentication rule tied to a condition using the tacacs:user tied to internal and then the default tied to RSA.  I then created the two authorization polices one using a internal condition for the R/W and the network_authentication_passed condition for the RSA for R/O.

Thanks Nidhi for pointing me in the right direction .

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: ISE 2.3 device administration with RSA and Internal

Enthusiast

Re: ISE 2.3 device administration with RSA and Internal

Thank you for the response.  That looks similar to how I did it is ACS.  Can you help clarify what it would look like in 2.3? I am very confused by its logic and design requirements.

Highlighted
Enthusiast

Re: ISE 2.3 device administration with RSA and Internal

So based on your link, I was able to work out what 2.3 was looking for.  I had to create an authentication rule tied to a condition using the tacacs:user tied to internal and then the default tied to RSA.  I then created the two authorization polices one using a internal condition for the R/W and the network_authentication_passed condition for the RSA for R/O.

Thanks Nidhi for pointing me in the right direction .

View solution in original post

Highlighted
Cisco Employee

Re: ISE 2.3 device administration with RSA and Internal

Would be great if you can share your notes with the community ☺

Thanks!