Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2038
Views
0
Helpful
6
Replies

ISE and AAA configuration

Go to solution
Fazal E Rasool Khan
Level 1
Level 1

‎08-06-2012 01:11 AM - edited ‎03-10-2019 07:23 PM

Hi Guys,

I am using ISE only one server as primary and as cisco says it has functionality of (ACS+ NAC). I  want to enable AAA services on the  ISE box rightnow.

I used the ACS earlier and want to configure the same functions on it.

Authentication of devices from ISE when remote login to router/switches/firewalls.

Authorization of commands form ISE based on user login

Accounting of command and login and logout details of user.

I have very basic knowledge in ISE but i used ACS througly.

Please Help  in the above issue.

Thanks in Advance

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-06-2012 01:34 AM

You probably used TACACS+ with your ACS; you can't migrate that functionality to ISE as the ISE doesn't support TACACS+. You have to keep the device-admin-stuff on the ACS.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎08-06-2012 01:34 AM

You probably used TACACS+ with your ACS; you can't migrate that functionality to ISE as the ISE doesn't support TACACS+. You have to keep the device-admin-stuff on the ACS.

0 Helpful

Go to solution
Fazal E Rasool Khan
Level 1
Level 1
In response to Karsten Iwen

‎08-06-2012 02:05 AM

Hi Karsten,

Thanks for the reply. Will it possible to configure, authenticaiton s of devices form ISE. Lets say when i SSH to the device it asks username and password form ISE database.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Fazal E Rasool Khan

‎08-06-2012 02:18 AM

Yes, the Authentication can be done with RADIUS. But all your Authorization-stuff is highly limited. Let's hope for an ISE with TACACS+ sometime in the future ...

0 Helpful

Go to solution
Fazal E Rasool Khan
Level 1
Level 1
In response to Karsten Iwen

‎08-06-2012 02:40 AM

Can you give any link where is shows TACACS is not supported.

Can you tell where need to enable these settings for AAA services.

Thanks in advance

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Fazal E Rasool Khan

‎08-06-2012 03:17 AM

Faisal,

When you enter the network device in ise, you will see under the authentication setting that there is no entry for a tacacs shared secret.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_network_devices.html

You can get an answer through your Cisco account team on a tentative timeline on when tacacs will be released.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Fazal E Rasool Khan

‎08-06-2012 03:23 AM 

Can you give any link where is shows TACACS is not supported.

You find that amongst others in the Q&A:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html

Can you tell where need to enable these settings for AAA services.

That's a quite complex thing ... Best you start with the ISE policies:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html

Then look at the ACS migration-tool:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/migration_guide/ise104_mig_book.html

But don't expect that the tool will migrate your ACS-policies in a usefull way ... There is much handwork involved to end with a good ISE-policy.

0 Helpful
Customers Also Viewed These Support Documents