04-01-2020 12:24 PM
Hi,
I am trying to setup NFVIS in ISE. I would appreciate if any one can provide documentation on how to configure it on ISE.
As it has the admin, oper and Audit roles. Should I used the radius attribute ?
How to setup the radius in ISE for NFVIS.
Solved! Go to Solution.
04-21-2020 03:54 PM
This is more of a question about the ENCS/NFVIS platform than ISE. According to the NFVIS Configuration Guide, it appears you need to specify the priv-lvl that maps to each Role (Admin, Operator, Auditor). As the NFVIS supports TACACS+, I would suggest using it rather than RADIUS.
You would then create TACACS Profiles in ISE that would specify those privilege levels similar to the IOS example in the Device Admin Prescriptive Guide and structure your Device Admin Policy Sets and Authentication/Authorisation Policies according to the examples in the same guide. It's unclear from the NFVIS documentation whether a TACACS Command Set is required, so you might try using an Authorisation Policy without it first. If that fails, try using the 'PermitAllCommands' TACACS Command Set.
04-01-2020 05:29 PM
04-06-2020 08:45 AM
NFVIS is Enterprise NFV Infrastructure Software.
This link would give more information about NFVIS : https://www.cisco.com/c/en/us/products/routers/enterprise-nfv-infrastructure-software/index.html
04-06-2020 11:04 PM - edited 04-06-2020 11:06 PM
Can you please clarify what you mean by setting up 'NFVIS in ISE'?
If you are asking how to setup ISE as a VNF (Virtual Network Function) on the NFV Infrastructure, this is not supported. As documented in the link you shared, the only supported VNFs are:
04-21-2020 09:00 AM
Greg,
So, They want to have access based on Roles like Admin, Oper or Read-only for this device.
Now I want to know how to configure that in ISE to provide them access based on the roles. Usually I find some document on how to configure in ISE to provide access to the devices. But I am unable to find the document.
Here is the process on how to do for CPI :https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212201-Configure-Prime-3-1-TACACS-authenticatio.pdf.
I need something like this for NFVIS.
04-21-2020 03:54 PM
This is more of a question about the ENCS/NFVIS platform than ISE. According to the NFVIS Configuration Guide, it appears you need to specify the priv-lvl that maps to each Role (Admin, Operator, Auditor). As the NFVIS supports TACACS+, I would suggest using it rather than RADIUS.
You would then create TACACS Profiles in ISE that would specify those privilege levels similar to the IOS example in the Device Admin Prescriptive Guide and structure your Device Admin Policy Sets and Authentication/Authorisation Policies according to the examples in the same guide. It's unclear from the NFVIS documentation whether a TACACS Command Set is required, so you might try using an Authorisation Policy without it first. If that fails, try using the 'PermitAllCommands' TACACS Command Set.
08-11-2020 06:32 AM
good one, to explain a Cisco guy what NFVIS means :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide