10-13-2021 03:47 PM
Hi Expert,
When logging into a router or switch(NADs), is it possible to have the query go to the ISE, and the ISE go to the AD to query the user's credentials?
If so, would Device Administration (TACACS+) be required?
ISE version 3.0 and NADs are Cisco products.
Thanks,
10-13-2021 10:40 PM
Hi @DekavitaD,
Yes, it is possible. Most frequent way of doing this for me is using DeviceAdmin (TACACS+) between NAD and ISE, while ISE is integrated with AD in the backend. Authorization is done based on AD group membership, so daily adding or remove admin is as simple as adding a user to AD group.
You could do this with RADIUS as well, but TACACS as a protocol offers so much more, so I prefer doing it via tacacs.
You can find details in the ISE Device Administration Prescriptive Deployment Guide.
BR,
Milos
10-14-2021 03:36 AM
yes that is normal standard deploy across world. (most users resides in AD only and also in AD Group to control).
below guide help you :
https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-device-admin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: