10-13-2021 03:47 PM
Hi Expert,
When logging into a router or switch(NADs), is it possible to have the query go to the ISE, and the ISE go to the AD to query the user's credentials?
If so, would Device Administration (TACACS+) be required?
ISE version 3.0 and NADs are Cisco products.
Thanks,
10-13-2021 10:40 PM
Hi @DekavitaD,
Yes, it is possible. Most frequent way of doing this for me is using DeviceAdmin (TACACS+) between NAD and ISE, while ISE is integrated with AD in the backend. Authorization is done based on AD group membership, so daily adding or remove admin is as simple as adding a user to AD group.
You could do this with RADIUS as well, but TACACS as a protocol offers so much more, so I prefer doing it via tacacs.
You can find details in the ISE Device Administration Prescriptive Deployment Guide.
BR,
Milos
10-14-2021 03:36 AM
yes that is normal standard deploy across world. (most users resides in AD only and also in AD Group to control).
below guide help you :
https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-device-admin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide