Solved: Re: ACS and ISE authentication.

johnywalker · ‎09-27-2018

Hello,

My customer has AAA using ACS for all network devices and guest wifi access configured through ISE. Now they are planning use profiling for endpoints, posturing with 802.1x authentication,authorization on wired users through ISE. They have renewed ACS support till 2019 and they dont want to remove ACS from their network.

How can i configure ISE in a way that it can get endpoint details for profiling and posturing for wired users without removing ACS from their network?

I configured SNMP traps network devices and no endpoint details showing in ISE.

Please help me on this issue.

Sijoy

Jason Kunst · ‎09-27-2018

You wouldn’t have acs and ise managing the same networks. It’s one or the other. Doesn’t make sense operationally and they can’t coexist

Ise need radius session details to populate any endpoint information in its system

Would recommend slowly moving over to use and understanding its roles because acs is outdated and doesn’t provide any value compared to use powerful features

View solution in original post

Marvin Rhoads · ‎09-27-2018

You can use ACS as your TACACS server for device administration purposes while introducing additional ISE-based services for 802.1x clients via RADIUS.

The TACACS and RADIUS services are completely distinct. While either product can do both (and indeed ACS is past end-of-sales), you can have both as long as you distinguish a role for each.

Is that what you're wondering?

View solution in original post

Jason Kunst · ‎09-27-2018

You wouldn’t have acs and ise managing the same networks. It’s one or the other. Doesn’t make sense operationally and they can’t coexist

Ise need radius session details to populate any endpoint information in its system

Would recommend slowly moving over to use and understanding its roles because acs is outdated and doesn’t provide any value compared to use powerful features

johnywalker · ‎09-27-2018

Hi,

Thanks for your reply.

They already had ACS for WLC login and ISE for guest wireless solution. WLC configuration is added below for your reference.

aaa group server radius GBHISE
server name GBHISE01
server name GBHISE02
deadtime 10
!
aaa group server tacacs+ ACS
server name ACS

aaa authentication login wlc group ACS local
aaa authentication dot1x ISEAUTHC group GBHISE local
aaa authorization exec wlc group ACS local
aaa authorization network ISEMACFilter group GBHISE
aaa authorization network ISE802.1x group GBHISE
aaa accounting identity ISEACC start-stop group GBHISE
aaa local authentication ISEAUTHC authorization ISE802.1x

aaa server radius dynamic-author
client <IP> server-key 7 <key>
client <IP> server-key 7 <key>
auth-type any

aaa session-id common

dot1x system-auth-control

tacacs server ACS
address ipv4 <IP>
key 7 <key>
timeout 80
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 2
radius-server deadtime 10
!
radius server GBHISE01
address ipv4 <IP> auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key 7 <key>
!
radius server GBHISE02
address ipv4 <IP> auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key 7 <key>
!

Sijoy

Jason Kunst · ‎09-27-2018

Not sure why you’re sharing

A wlan is only served by one aaa type of deployment so ise as guest and acs for wireless is fine but they don’t work together. It’s one or the other on any given network segment

Regardless of having support for acs until 2019 it doesn’t make sense to keep both

Migrate everything to ise and shutdown acs

Marvin Rhoads · ‎09-27-2018

You can use ACS as your TACACS server for device administration purposes while introducing additional ISE-based services for 802.1x clients via RADIUS.

The TACACS and RADIUS services are completely distinct. While either product can do both (and indeed ACS is past end-of-sales), you can have both as long as you distinguish a role for each.

Is that what you're wondering?