Re: Best practices for adding network devices to ISE

Charlie Jones · ‎06-16-2022

When using ISE for TACACS, is there any benefit for creating an entry for each network device? Today, each of our sites are represented with three groups in ISE: LOC_RTR, LOC_SW, and LOC_AP. We manage our routers from their loopback interfaces, our switches are in a management VLAN, and our AP's are in their own VLAN.

When we moved our datacenter, the partner we worked with added the new network devices into ISE by creating individual devices for each device rather than using the format we have been maintaining.

I can see that when looking at logs, it can be beneficial to see the device name rather than LOC_SW, but are there other advantages? Is there a benefit if we decide to use ISE for wired NAC? Today we only use ISE for TACACS and wireless authentication.

Thanks,

Arne Bier · ‎06-16-2022

Hello @Charlie Jones ,

sounds like you have three Device Groups (LOC_RTR, LOC_SW and LOC_AP) that you tag each Network Device in ISE with, correct?

That's pretty normal and reasonable. But I don't understand how you're getting away with not adding every Network Device into ISE?

Adding a device into ISE is allowing ISE to recognise the Source IP address of the NAD that's trying to talk TACACS or RADIUS to ISE. Without this entry in ISE, ISE will reject the device as "Unknown Device". You can either add the device's /32 IP address or specify a range (which is particularly useful if you have a VLAN that only contains things like Meraki APs - saves having to add them all in individually).

Ultimately, adding in every switch/router in ISE using the device's /32 address is probably good idea for housekeeping - you can see at a glance how many devices you have and you can enable/disable stuff per-device. E.g. sometimes I have to disable TACACS for one switch only in ISE to force it to use local creds (HA testing). And bulk operations can be done via .csv export/import.

Charlie Jones · ‎06-17-2022

Thanks for taking the time to reply to my message.

I am interested in learning more about what you mean about ISE detecting the device as an unknown device? When I connected to a device via TACACS and then view the TACACS logs, the Network Device Name column will appear with the respective "LOC_SW" or "LOW_RTR" or LOC_AP" information. Looking at the authentication log for an authentication request, the only time Unknown appears is for Model Name and Software.

I do like the idea of having the ability of adding each device so that it is available for testing. Before I posted this, I learned that ISE will use the most specific entry which allows this flexibility.

Arne Bier · ‎06-19-2022

I think you'll need to share some screenshots because I don't follow what you're using LOC_SW/RTR/AP for - perhaps it's some custom Network Device Group.

In it's simplest (default) setup, ISE ships with a Device Type, IPSEC and Location Group assigned to each device. So for Device Type, you assign if it's a switch, router, AP etc - and that is just a convenience to allow us to create Policies based on this tagging. If you haven't tagged a device accordingly, then your policies might not work as expected.

The "device not found" means that ISE is unable to process the TCP (TACACS) or UDP (RADIUS) packets when the Device's IP address is not found in the Network Devices list.

Marcelo Morais · ‎06-16-2022

Hi @Charlie Jones ,

beyond what @Arne Bier said, remember the following ISE Deployment Models options for RADIUS & TACACS+:

Hope this helps !!!