cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2005
Views
5
Helpful
3
Replies

ISE Azure REST/ROPC for Device Admin

dm2020
Beginner
Beginner

Hi All,

I have been testing ISE with Azure ROPC for EAP-TTLS and AnyConnect VPN authentication. Both of these work ok. As both of these use-cases support PAP, I'm assuming that it is also supported to use Azure ROPC for RADIUS and TACACS device administration?

I have been doing some testing and RADIUS admin works ok as we can use Azure ROPC for user authentication and then use the Azure AD identity source within an authorisation policy to map Azure AD group to the required authorisation profile (such as Priv15 for switches)

With TACACS, authentication works ok, however there doesn't seem to be an option to select the Azure AD Identity source as a condition within the TACACS authorisation policy so we cant use Azure AD groups for allocating granular command sets/shell profiles.

Has anyone else looked into this?

 

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

Neither the Authentication nor Authorization Policies for Device Admin (TACACS+) currently support REST ID/ROPC Identity Sources or attributes in any shipping version of ISE.

 

View solution in original post

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

Neither the Authentication nor Authorization Policies for Device Admin (TACACS+) currently support REST ID/ROPC Identity Sources or attributes in any shipping version of ISE.

 

Thanks @Greg Gibbs. I'm assuming that Network/Device Admin with RADIUS is fully supported then?

That is not a documented use case for ROPC, but both use cases would use simple password-based authentication. The endpoint auth use case would use EAP-TTLS(PAP) and the device admin use case would use simple PAP.

I did a basic test using a CSR1000v configured for RADIUS and authentication using AzureAD via ROPC did work. My authorization policy used a group membership check against AzureAD and the condition matched as expected.

Detailed log:

Screenshot 2023-02-27 at 10.45.33 am.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: