Solved: Only allow AD user to be used from one specific machine

NicP · ‎01-13-2020

I am planning to upgrade our network security by deploying TACAC login on the switches.
We already setup an AD group and Cisco ISE server and are able to log into the switches with specific AD users.

There is an Cisco Prime server which will get his own AD User to log into these switches to manage them. (currently it uses the local login credentials to access the switches)

Now the question.
We want to secure the usage of the Cisco Prime AD account by only allowing it to be used from the Prime Server. We are very inexperience in the usage of Cisco ISE and don't know it's full potential yet.
Is this possible, if yes. How do you do this.

I would appreciate the help

Mike.Cifelli · ‎01-13-2020

You can definitely accomplish this using ISE device admin policies with AD security groups. Create a separate AD security group for the one AD user account that will have access into Prime. You can then create a new global device admin policy set where you would specify conditions such as Network Access Protocol EQUALS TACACS+ AND Network Access: Device IP Address equals <PRIME IP>. Setup authc as you wish using an identity sequence that contains your external AD. Then under authz conditions reference your Prime AD security group and the T+ profile. Something to note for Prime is that you need specific attributes in order to make this work the way you expect it to. In Prime go to Administration->Users->Users, Roles & AAA->User Groups. From here find the appropriate role you wish to give to your user and select 'task list'. Copy the entire T+ Custom attributes from the T+ pane. Go back to ISE T+ profile and switch tab to 'raw view' & paste in the attributes you copied from Prime. After this if setup right you will be all set. HTH!

View solution in original post

Mike.Cifelli · ‎01-13-2020

You can definitely accomplish this using ISE device admin policies with AD security groups. Create a separate AD security group for the one AD user account that will have access into Prime. You can then create a new global device admin policy set where you would specify conditions such as Network Access Protocol EQUALS TACACS+ AND Network Access: Device IP Address equals <PRIME IP>. Setup authc as you wish using an identity sequence that contains your external AD. Then under authz conditions reference your Prime AD security group and the T+ profile. Something to note for Prime is that you need specific attributes in order to make this work the way you expect it to. In Prime go to Administration->Users->Users, Roles & AAA->User Groups. From here find the appropriate role you wish to give to your user and select 'task list'. Copy the entire T+ Custom attributes from the T+ pane. Go back to ISE T+ profile and switch tab to 'raw view' & paste in the attributes you copied from Prime. After this if setup right you will be all set. HTH!

hslai · ‎01-16-2020

Mike.Cifelli is correct.

You might also be interested in our resources page on device admin -- ISE Device Administration resources for TACACS+ and RADIUS; specifically, ISE Device Administration Prescriptive Deployment Guide has some examples on Prime Infrastructure.