Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
1
Helpful
2
Replies

Add authentication policy for external clients in ISE TACACS 3.0

Go to solution
sbartelt62
Level 1
Level 1

‎03-01-2023 10:42 AM

We have ISE TACACS 3.0 in our company. I am new to administering the environment. We have an external AD environment that clients can authenticate against. In our authentication Policy we have MAB, Dot1X and Default. Would a new policy be added prior to Default to allow clients to authenticate against the external AD environment? 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎03-01-2023 02:01 PM

hello @sbartelt62 , within the scenario that you are describing you need to create a policy in which you will be using dot1x , depends mostly on the design you want to do with your policies sets ,  you can place , as you mention,  a policy set  above the default one where you might indicate that devices doing this protocol will be hitting the rule , as the following example shows 

RodrigoDiaz_0-1677707470094.png

The rules on ISE are evaluated from top to bottom so the rules that you have above will be evaluated first , you can add multiple more conditions within the rules that adapt to the authentication you want to achieve ,  or you can also work within the default rule and create a condition that is specific for dot1x within the "Authentication policy" section of that policy set ,  for ISE 3.0 also you need to have essential licensing to perform RADIUS AAA and web authentication . 

Kindly refer to the following links that may help you in this new configuration  

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/m_Licensing30.html

Let me know if that helped you . 

View solution in original post

Go to solution
sbartelt62
Level 1
Level 1
In response to Rodrigo Diaz

‎03-02-2023 04:31 AM

Thank you. I will look over all the information.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎03-01-2023 02:01 PM

hello @sbartelt62 , within the scenario that you are describing you need to create a policy in which you will be using dot1x , depends mostly on the design you want to do with your policies sets ,  you can place , as you mention,  a policy set  above the default one where you might indicate that devices doing this protocol will be hitting the rule , as the following example shows 

RodrigoDiaz_0-1677707470094.png

The rules on ISE are evaluated from top to bottom so the rules that you have above will be evaluated first , you can add multiple more conditions within the rules that adapt to the authentication you want to achieve ,  or you can also work within the default rule and create a condition that is specific for dot1x within the "Authentication policy" section of that policy set ,  for ISE 3.0 also you need to have essential licensing to perform RADIUS AAA and web authentication . 

Kindly refer to the following links that may help you in this new configuration  

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/m_Licensing30.html

Let me know if that helped you . 

Go to solution
sbartelt62
Level 1
Level 1
In response to Rodrigo Diaz

‎03-02-2023 04:31 AM

Thank you. I will look over all the information.

0 Helpful
Customers Also Viewed These Support Documents