Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
544
Views
7
Helpful
7
Replies

Cisco authorization

Go to solution
Moudar
VIP
VIP

ā€Ž09-26-2023 06:14 AM

Hi

We are using Cisco ISE as our RADIUS server. We have a policy that allow us to login to our Cisco devices.

The problem is that there is no segmentation that will prevent others from reaching our devices for example our switches and routers.

Is there a way to apply in ISE so that only few PCs can reach the switch and router network.

I checked downloadable ACLs, but with these you cannot use host (DNS anme) but only IP addresses. What I need to accomplish is to allow some PCs reaching the switch and router network and no one else.

Today we use an authorization policy which have a condition that contains all our devices and users added to an AD group. If these conditions are met, then you can login to the switch. Even if you are not in that group, you can still try to login.

I donā€™t want anybody to have the ability to try, but only some PCs belongs to the network team.

Is there any way to do it in ISE?

Any suggestions for segmentation. For example, we have 192.168.1.0, 192.168.2.0, 192.168.3.0 and 192.168.4.0. These subnets are only switches and routers. We use static routes which make segmentation more difficult. Our design is very old, and no one wants to touch the routes. Maybe ISE can help us in this situation.

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

ā€Ž09-26-2023 06:22 AM

@Moudar the standard way to control access to switches and router is to configure an ACL on the device and apply to the VTY lines. Example:

ip access-list standard ACL-MGMT
 permit 192.168.10.0 0.0.0.255
 deny any log
!
line vty 0 15
 access-class ACL_MGMT in

 

View solution in original post

7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

ā€Ž09-26-2023 06:22 AM

@Moudar the standard way to control access to switches and router is to configure an ACL on the device and apply to the VTY lines. Example:

ip access-list standard ACL-MGMT
 permit 192.168.10.0 0.0.0.255
 deny any log
!
line vty 0 15
 access-class ACL_MGMT in

 

Go to solution
Moudar
VIP
VIP
In response to Rob Ingram

ā€Ž09-26-2023 06:36 AM

You mean it is not recommended to do such a thing through ISE? or there is no way to do it in ISE?

Go to solution
Rob Ingram
VIP
VIP
In response to Moudar

ā€Ž09-26-2023 06:42 AM

@Moudar ISE can be used for user authentication (radius/tacacs) to the device, the VTY line controls from which source IP address the user can connect from.

You could implement TrustSec SGACL (deployed via ISE) to restrict traffic on the switches, but that is generally used for controlling the endpoints/users and not to restrict management access to the devices themselves, so that would be overkill. Stick with the VTY ACL as suggested.

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž09-26-2023 06:37 AM

User use dot1x auth

Device use login auth 

These two must separate in ISE.

Device add to AD can not access as users and uses can not access as device.

0 Helpful

Go to solution
Moudar
VIP
VIP
In response to MHM Cisco World

ā€Ž09-26-2023 06:43 AM

would you explain more your point!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Moudar

ā€Ž09-26-2023 07:05 AM

The ISE reply to SW requests with attribute.

The attribute for login is different than dot1x and hence there is already separation in ISE.

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

ā€Ž09-27-2023 02:12 PM

TACACS+ (Device Admin)

0 Helpful
Customers Also Viewed These Support Documents