10-10-2024 02:19 PM
Hi all!
My company currently has a TACACS cluster that serves as a primary authentication service for all of our network devices including other ISE clusters for RADIUS or Guest/BYOD services etc. Currently and historically we have our RADIUS ISE admin GUI/CLI authentication going to our TACACS servers via the RADIUS protocol [Radius Token ID Source], we also had local admin groups populated with active directory usernames that were allowed to make changes or view the ISE config etc.
So if I go to login to our RADIUS ISE cluster my authentication will show up on our "TACACS" servers RADIUS logs.
What we are wanting to do is to get rid of the locally defined admin groups and define a few Active Directory groups whose members can either view or change our ISE environment. So I guess I'm looking for a resource that will show me what I need to configure, both on my production ISE [RADIUS] clusters AND on the ISE TACACS authentication side to allow us to control logins via AD groups. To put it another way, I want my TACACS cluster to proxy the authentications for all other ISE clusters [administrative access] using active directory group membership and not leveraging local accounts or groups as much as possible. Thanks for any help.
I'm pretty sure I'll need to change the login identity source to Active Directory [on the various ISE clusters] but I'm not sure what else needs to be configured to make this work.
Solved! Go to Solution.
10-10-2024 03:42 PM
In addition to what you said in your last sentence, once you have done that, you need to define the Data and Menu Access Permissions (for RBAC) - there are pre-defined Super Admin Menu and Super Admin Data you can re-use to replicate the admin RBAC.
Then you define a new Admin Group that references the AD Group you want to use (assuming you imported it already under the External Identity Sources).
Then under RBAC Policies, you create a new RBAC Policy that ties the Group to the Menu/Data. Rinse and repeat for other AD Groups (if required)
10-10-2024 03:42 PM
In addition to what you said in your last sentence, once you have done that, you need to define the Data and Menu Access Permissions (for RBAC) - there are pre-defined Super Admin Menu and Super Admin Data you can re-use to replicate the admin RBAC.
Then you define a new Admin Group that references the AD Group you want to use (assuming you imported it already under the External Identity Sources).
Then under RBAC Policies, you create a new RBAC Policy that ties the Group to the Menu/Data. Rinse and repeat for other AD Groups (if required)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide