cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

176
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

Cisco ISE Device admin Authz rules query

Hi Team,

 

Have a query regrading exclusion for Cisco Prime user request(auth/authz) to ISE nodes.

 

CU is having the Cisco Prime into network for monitoring/config change. Prime have the level 15 admin user which auth/authz on every network device(20K) and pull the required info that creates huge requests on ISE. 

Can be a way to exclude the specific user or Prime IP exclusion on ISE to proceed further for auth/authz requests to minimise the overhead. 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: Cisco ISE Device admin Authz rules query

I don't quite follow what you've just written.  But when you say "bypassed" then you surely mean "do not use TACACS at all".  If your NAS sends a TACACS request to ISE then there is no concept of bypassing.  ISE has to process the request.  You can chose to authenticate locally (ISE internal user) - that is the only "optimisation"you can do.

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

Re: Cisco ISE Device admin Authz rules query

Well Prime is causing an authentication event on the NAS, so in reality it's not Prime's issue - you need to configure the NAS to first perform local auth, then TACACS.  But if the NAS will always do TACACS first and local user only if AAA is down, then you have no hope to avoid the AAA call.  You could put the use in the ISE Identity Group to avoid an AD/LDAP lookup.

 

On Cisco WLC you can set the order to be LOCAL, then TACACS.  That would solve your issue. But it opens up a security issue because users can then bypass your TACACS server by creating their own accounts - and then TACACS doesn't log the commands,etc.  Bad practice. Avoid that.

 

If the issue is that you don't want to see these events in LiveLogs then you can enable a Collection Filter to remove the events from the Logs (and reports too).  

Administration -> System -> Logging -> Collection Filters

 

collection filet.PNG

Highlighted
Cisco Employee

Re: Cisco ISE Device admin Authz rules query

Hi Arne,

 

Thanks for highlighting the use of Collection filter, can be a use case for CU for prime live logs filtering.

WLC is not a case as CU using TACACS feature only. In this case, I am not sure if only prime user can be filtered as Local auth on NAD devices. more looking on ISE side, can be a way to filter prime user authentication and should not be entertained/directly bypassed for authorization requests.

 

Highlighted
VIP Advisor

Re: Cisco ISE Device admin Authz rules query

I don't quite follow what you've just written.  But when you say "bypassed" then you surely mean "do not use TACACS at all".  If your NAS sends a TACACS request to ISE then there is no concept of bypassing.  ISE has to process the request.  You can chose to authenticate locally (ISE internal user) - that is the only "optimisation"you can do.

View solution in original post

Highlighted
Cisco Employee

Re: Cisco ISE Device admin Authz rules query

Hi Arne, thanks for more input. was looking that can bypass specific username or not on ISE.