Hello!
I am very new to ISE and I have one which is empty. I upgraded it to 3.3p4. My goal is to set it up for Cisco switch administration over TACACS+ so that the admin accounts are located in MS AD -- we want to use the already existing AD accounts (and possibly for a failover, use local accounts defined in ISE, lastly switch-local accounts). Maybe it is not important but there is already a working NAC solution for end users' computers who connect to the switches (against MS AD-integrated RADIUS servers) which I set up and also, by expanding aaa, I got the admin login (for switch administration) working against the same RADIUS servers. But we need to log the commands that admins enter so that's why we need TACACS+ and we have ISE for that. I found two possible other solutions to get this without using TACACS+ but they're not good enough. Also, I prefer not to go through "adding ISE to domain" and want to use LDAPS instead.

It has been challenging to configure ISE: so many details and possible policy elements and new terms for naming those elements, the ISE seems to be like a different kind of MS AD type of permission system. So many possibilities but to get one needed out of the possible tens or hundreds of scenarios and options is very difficult, especially for a beginner.

Anyway, I have finally defined a policy and the initial conditions are met when I try to log in: "Network access . Protocol equals" TACACS+ and "Network Condition . Allowed networks" equals True. Next is the default authentication policy Default where I have changed Use column to the LDAP connection which includes the specific group in AD against which I want to authenticate and attribute sAMAccountName because I want admins and myself use the username of this form. The three lower options are default. I never get past this point because authorization policy gets no hits.

The result when logging into switch is:

In steps part: "User not found in LDAP Server - EIS_LDAP_GRP".

So is there anybody who has a working device authentication over TACACS+ that uses LDAPS connection? Any hints or examples about where exactly should each detail be configured?

As a last resort, I could try to set it up for local ISE authentication first and then expand to LDAPS after that.

Another thing that is unclear is about the authentication orders. There are at least two principally different ways I can think of:

1a. if an auth server (LDAPS) responds, check the user and if it is not found or password is wrong etc., auth fails,

1b. if the first auth server does not respond, try the backup and if this also fails then auth fails;

2. if an auth server (LDAPS) responds, check the user and if it is not found, go to the next type of auth server, eg ISE local user and if this doesn't have the user, check the local users defined in the switch.

I am more interested in the second type of sequence but I don't understand what is the proper way to define such a sequence and in which place of the policy I have to use it (should I use the special sequence object or not because I don't know the logic there).

I have read the admin guides for a while already and have tried different ways to create the policy but they don't give me clear answers what to define where for my setup (or I haven't found it yet) that's why I ask here.