cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
4
Replies

Cisco ISE Device admin Authz rules query

sondevi
Cisco Employee
Cisco Employee

Hi Team,

 

Have a query regrading exclusion for Cisco Prime user request(auth/authz) to ISE nodes.

 

CU is having the Cisco Prime into network for monitoring/config change. Prime have the level 15 admin user which auth/authz on every network device(20K) and pull the required info that creates huge requests on ISE. 

Can be a way to exclude the specific user or Prime IP exclusion on ISE to proceed further for auth/authz requests to minimise the overhead. 

 

1 Accepted Solution

Accepted Solutions

I don't quite follow what you've just written.  But when you say "bypassed" then you surely mean "do not use TACACS at all".  If your NAS sends a TACACS request to ISE then there is no concept of bypassing.  ISE has to process the request.  You can chose to authenticate locally (ISE internal user) - that is the only "optimisation"you can do.

View solution in original post

4 Replies 4

Arne Bier
VIP
VIP

Well Prime is causing an authentication event on the NAS, so in reality it's not Prime's issue - you need to configure the NAS to first perform local auth, then TACACS.  But if the NAS will always do TACACS first and local user only if AAA is down, then you have no hope to avoid the AAA call.  You could put the use in the ISE Identity Group to avoid an AD/LDAP lookup.

 

On Cisco WLC you can set the order to be LOCAL, then TACACS.  That would solve your issue. But it opens up a security issue because users can then bypass your TACACS server by creating their own accounts - and then TACACS doesn't log the commands,etc.  Bad practice. Avoid that.

 

If the issue is that you don't want to see these events in LiveLogs then you can enable a Collection Filter to remove the events from the Logs (and reports too).  

Administration -> System -> Logging -> Collection Filters

 

collection filet.PNG

Hi Arne,

 

Thanks for highlighting the use of Collection filter, can be a use case for CU for prime live logs filtering.

WLC is not a case as CU using TACACS feature only. In this case, I am not sure if only prime user can be filtered as Local auth on NAD devices. more looking on ISE side, can be a way to filter prime user authentication and should not be entertained/directly bypassed for authorization requests.

 

I don't quite follow what you've just written.  But when you say "bypassed" then you surely mean "do not use TACACS at all".  If your NAS sends a TACACS request to ISE then there is no concept of bypassing.  ISE has to process the request.  You can chose to authenticate locally (ISE internal user) - that is the only "optimisation"you can do.

Hi Arne, thanks for more input. was looking that can bypass specific username or not on ISE.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: