Solved: ISE 2.x || DNA-C - What is the way forward to implement Tacacs+ Polices for different users or dept?

musultan · ‎10-04-2018

My customer implemented the SDA environment using the ISE 2.3-P2 and DNA-C 1.1.7….All the fabric devices are in the All Locations / All Devices Types.

We are looking to find a way to implement TACACS policy for the SDA devices that does not use All Location / All Device Types group that they are located in as we have many other devices across different department.

Below is showing the IT devices around the highlighted SDA devices which are located currently in “All Locations / All Device Types” into groups like those shown for the other devices in the list.

Can we move the DNA-C configured devices from All Locations / All Device Types to a specific group in ISE? Or do they have to keep remain in the Default group?

After discussing with DNA-C TAC, this is not tested and can cause issues if we re-configure them from ISE and can cause potential issues later on. Though, they were able to test it in the lab-environment and it worked.

Just to mention that this is a greenfield deployment but customer have discovered this over the last week since moving equipment onto ISE. They are migrating a major live site and need a solution asap.

What is the best practices for such use-case or what is the way forward in this situation?

Damien Miller · ‎10-04-2018

You can create alternate network device groups at the root level and build out a sub tree that suits TACACS. This way you don't have to modify any device types or locations.

View solution in original post

Damien Miller · ‎10-04-2018

You can create alternate network device groups at the root level and build out a sub tree that suits TACACS. This way you don't have to modify any device types or locations.

musultan · ‎10-05-2018

per my understanding, we should not manually change the config from ISE once it is managed by DNA-C. Hence, we are looking for the better solution to implement the tacacs+ policy for the fabric devices.

Please correct me, if i misunderstood above.

I am also wondering that if we could use SGTs linked to AD groups that provide access to log in to fabric devices for management access via Tacacs+? Just a thought.

musultan · ‎10-05-2018

any more comments on above? Please advise.

Still looking for more feedback.

thomas · ‎10-05-2018

> we should not manually change the config from ISE once it is managed by DNA-C.

> Hence, we are looking for the better solution to implement the tacacs+ policy for the fabric devices.

Please be careful not to confuse DNAC contracts which are replicated as Scalable Group Tags (SGTs) and Scalable Group ACLs (SGACLs) in the ISE TrustSec policy matrix! These are totally different than TACACS+ policy which is totally separate from DNAC segmentation policy configuration.

Damien is correct that if you want to implement TACACS+ CLI authorizations for fabric-enabled devices, you need to use Network Device Groups (NDGs) to group and then use in your TACACS+ policies for fabric vs non-fabric devices.

The creation of NDGs and grouping/labeling/tagging your network devices in these groups in ISE is does not affect network device configuration state - this is kept entirely within ISE. You may then use these groups to create granular policies based on these attributes (fabric, non-fabric, wireless, switches, 5525, sjc, red, managed, etc.)