Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
2
Replies

Can ISE limit restconf commands on network devices?

Go to solution
Larry Sullivan
Level 3
Level 3

‎12-08-2023 10:12 AM - edited ‎12-08-2023 10:23 AM

Can ISE limit restconf commands sent to network devices?  Essentially a program was built to clear arp on ASRs and also shut/no shut specific interfaces on C9500s.  Can we limit the commands to just that via ISE?  I'm not tasked with implementing this although I may end up eventually doing it.  I noticed in the command set my colleagues set up they are using standard CLI commands for the permit action.  Does ISE have an underlying mapping or do they need to put in the actual restconf syntax?  Any help or links to documentation appreciated.  Did a quick search last night before I got off work and didn't find much.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎12-10-2023 01:24 PM

NETCONF and RESTCONF do not provide the ability to perform command authorization from a AAA server. You can authenticate and authorize the user, but the only external authorization method available is privilege level.

To provide more granular RBAC for NETCONF/RESTCONF, you would need to look at Model Based AAA via NACM.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎12-10-2023 01:24 PM

NETCONF and RESTCONF do not provide the ability to perform command authorization from a AAA server. You can authenticate and authorize the user, but the only external authorization method available is privilege level.

To provide more granular RBAC for NETCONF/RESTCONF, you would need to look at Model Based AAA via NACM.

0 Helpful

Go to solution
soniyadixit
Level 1
Level 1

‎12-10-2023 08:37 PM

Yes, Cisco Identity Services Engine (ISE) can be configured to limit or control RESTCONF (RESTful Network Configuration) commands on network devices. RESTCONF is an HTTP-based protocol that provides a programmatic interface for interacting with network devices.

In simple terms:

  1. Define Policies in ISE:

    • ISE allows you to define policies that control what actions are allowed or denied for different users or devices.

  2. Create Authorization Policies:

    • Create authorization policies in ISE that specify what RESTCONF commands or operations are permitted for different users or groups.

  3. Map Policies to Network Devices:

    • Associate these policies with specific network devices or device groups.

  4. Enforce Access Control:

    • ISE acts as an access control point, enforcing the policies you've defined. If a user tries to execute RESTCONF commands that are not allowed by the policies, ISE will deny the access.

  5. Monitoring and Logging:

    • ISE provides monitoring and logging capabilities, allowing you to track and audit the RESTCONF activities on the network devices.
0 Helpful
Customers Also Viewed These Support Documents