08-23-2017 12:06 AM
Hello ISE team,
Input on the following question is appreciated: Thanks!
Subject: ISE Network Device Profiles
Andy – Can you send the following challenge up to your ISE team and help us determine if the following is indeed the best we’re going to be able to do…
Goal
At present, we’re having to add every single device into ISE, and manually map the device profile.
My expectation is that there is some attribute the device has to tell ISE/TACACS “I’m an ASA”, or “I’m a router” with us having to manually define that over and over.
Is this possible, and if so how?
Thanks for your help.
Solved! Go to Solution.
08-23-2017 05:26 AM
There isn't a way I know of. I always add all the devices into ISE. There are two reasons for this:
Adding a NAD takes less then 5 seconds (duplicate existing NAD of same type, change IP, change name) and you can bulk import from a CSV so adding 100s of NADs in a few seconds is also easy.
You can also define a default network device in ISE and setup a policy for that. I have done that for large customers so if they forget to add the NAD to ISE a certain set of people will still be able to log into that device with TACACS.
08-23-2017 05:26 AM
There isn't a way I know of. I always add all the devices into ISE. There are two reasons for this:
Adding a NAD takes less then 5 seconds (duplicate existing NAD of same type, change IP, change name) and you can bulk import from a CSV so adding 100s of NADs in a few seconds is also easy.
You can also define a default network device in ISE and setup a policy for that. I have done that for large customers so if they forget to add the NAD to ISE a certain set of people will still be able to log into that device with TACACS.
08-23-2017 05:37 AM
Correct as always paul
There is no sensing or handshake built into RADIUS or TACACs protocols, that's up to SNMP
The only time you get any indication of device type is when you use the visibility setup wizard to scan your management network via SNMP but still you need to assign them to device groups etc
The VSW is only used on initial setup of ISE to start showing the rich context ISE is able to provide to the organization
08-23-2017 01:14 PM
You could submit enhancement request for this. There was discussion to do this with VSW but not committed.
In addition to import via CSV, there is also ERS API which can create/update virtually all aspects of NAD. I assume you or customer already has list of all valid access devices. This can be used to mass populate location (very valuable), NAD profile, SNMP and RADIUS/TACACS+ settings, etc. Note that it is also possible to have multiple NAD profiles for a given vendor, so even then it would be a default vs specific profile.
/Craig
09-07-2017 09:04 AM
Thanks all!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide