Solved: Re: Any step by step document to setup NFVIS in ISE.

Nikhil@07 · ‎04-01-2020

Hi,

I am trying to setup NFVIS in ISE. I would appreciate if any one can provide documentation on how to configure it on ISE.

As it has the admin, oper and Audit roles. Should I used the radius attribute ?

How to setup the radius in ISE for NFVIS.

Greg Gibbs · ‎04-21-2020

This is more of a question about the ENCS/NFVIS platform than ISE. According to the NFVIS Configuration Guide, it appears you need to specify the priv-lvl that maps to each Role (Admin, Operator, Auditor). As the NFVIS supports TACACS+, I would suggest using it rather than RADIUS.

You would then create TACACS Profiles in ISE that would specify those privilege levels similar to the IOS example in the Device Admin Prescriptive Guide and structure your Device Admin Policy Sets and Authentication/Authorisation Policies according to the examples in the same guide. It's unclear from the NFVIS documentation whether a TACACS Command Set is required, so you might try using an Authorisation Policy without it first. If that fails, try using the 'PermitAllCommands' TACACS Command Set.

View solution in original post

thomas · ‎04-01-2020

What is "NFVIS"? NetFlow Visibility?

If so, see the ISE Profiling Design Guide.

Nikhil@07 · ‎04-06-2020

NFVIS is Enterprise NFV Infrastructure Software.

This link would give more information about NFVIS : https://www.cisco.com/c/en/us/products/routers/enterprise-nfv-infrastructure-software/index.html

Greg Gibbs · ‎04-06-2020

Can you please clarify what you mean by setting up 'NFVIS in ISE'?

If you are asking how to setup ISE as a VNF (Virtual Network Function) on the NFV Infrastructure, this is not supported. As documented in the link you shared, the only supported VNFs are:

Integrated Services Virtual Router
Virtual WAN optimization
Virtual ASA
Virtual Wireless LAN Controller
Next-Generation Virtual Firewall

Nikhil@07 · ‎04-21-2020

Greg,

So, They want to have access based on Roles like Admin, Oper or Read-only for this device.

Now I want to know how to configure that in ISE to provide them access based on the roles. Usually I find some document on how to configure in ISE to provide access to the devices. But I am unable to find the document.

Here is the process on how to do for CPI :https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212201-Configure-Prime-3-1-TACACS-authenticatio.pdf.

I need something like this for NFVIS.

Greg Gibbs · ‎04-21-2020

This is more of a question about the ENCS/NFVIS platform than ISE. According to the NFVIS Configuration Guide, it appears you need to specify the priv-lvl that maps to each Role (Admin, Operator, Auditor). As the NFVIS supports TACACS+, I would suggest using it rather than RADIUS.

You would then create TACACS Profiles in ISE that would specify those privilege levels similar to the IOS example in the Device Admin Prescriptive Guide and structure your Device Admin Policy Sets and Authentication/Authorisation Policies according to the examples in the same guide. It's unclear from the NFVIS documentation whether a TACACS Command Set is required, so you might try using an Authorisation Policy without it first. If that fails, try using the 'PermitAllCommands' TACACS Command Set.

pgasparovic · ‎08-11-2020

good one, to explain a Cisco guy what NFVIS means :-)