Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1737
Views
10
Helpful
3
Replies

Pushing Configuration Changes with ISE

Go to solution
latenaite2011
Level 4
Level 4

‎08-02-2018 06:00 PM

Is there a way to push configuration changes to ISE like what Cisco Works is able to do 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-02-2018 06:07 PM

Yes, but in an extremely limited way. Not at all like Prime, APIC-EM, DNA, or Works. You can have port vlans and dacls pushed during a user authentication flow for example.

You cannot configure things that I would normally considered infrastructure commands, radius servers, qos, stp, routing, static acls, etc. Basically anything outside of the realm of authenticating and securing a user. ISE is the policy server, not a replacement for the others listed above. I do however wish ISE could audit NAD config in a useful way.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-02-2018 06:07 PM

Yes, but in an extremely limited way. Not at all like Prime, APIC-EM, DNA, or Works. You can have port vlans and dacls pushed during a user authentication flow for example.

You cannot configure things that I would normally considered infrastructure commands, radius servers, qos, stp, routing, static acls, etc. Basically anything outside of the realm of authenticating and securing a user. ISE is the policy server, not a replacement for the others listed above. I do however wish ISE could audit NAD config in a useful way.
0 Helpful

Go to solution
latenaite2011
Level 4
Level 4
In response to Damien Miller

‎08-02-2018 06:47 PM

Thank you Damien for your quick response.

 

How about finding unused ports and shutting those down?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to latenaite2011

‎08-02-2018 07:43 PM

No, that's not possible from ISE. I think the closest you could get is a port config status report from Context Visibility > Network Devices > Port Config Status > Run on All/Selected. This uses SNMP to poll the switch but only provides back minimal port related config but no way to act on it.

When I think about unused ports and the security risk they present to an enterprise, I think ISE can be leveraged in a more efficient way than shutting down ports. Eventually the goal is to get your switches to a closed mode state, where if an endpoint plugs in and is not allowed to be on the network, then you have restricted them via the access policy. You can couple this with TrustSec to further secure known endpoints with scalable group tags, and limit host to host communication at your preference based on their authentication results. Might not work for all environments but is a nice approach.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents