08-14-2019 07:40 PM
Hi Guys,
I'm trying to find out what the best way would be to control access to our ISE PSNs via SSH. At this moment SSH is enabled which permits access to the devices from almost anywhere in the LAN.
Are there options to enable host based ACLs to permit access from only certain IP addresses/subnets?
Thank you
08-15-2019 09:28 AM
08-18-2019 03:16 PM - edited 08-18-2019 04:13 PM
Hi @VinnyR
You can achieve this through the Admin Access List in the ISE GUI. I thought this only applied to GUI access, but I was pleasantly surprised to find that it also applies to the CLI access.
Having said that, I don't have a distributed deployment to test this on - in my case I am using all-in-one Node.
Below I tested this by only allowing my NOC to access ISE from a wired LAN subnet 192.168.100 /24
Accessing the GUI from any other subnet will show this as a result:
On the SSH access, you won't get a TCP connection success - the session will just hang.
Make sure you test this (or implement this) in a sensible manner. I don't know how to revert this change if you should cut yourself off from the Admin GUI. There doesn't seem to be a CLI command to revert the changes via console. Be very careful!
08-20-2019 02:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide