cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1298
Views
10
Helpful
2
Replies

Query on IPS Authentication with CISCO ISE

kirubashankarr
Level 1
Level 1

Hello ,

 

We have an entire subnet onboarded for TACACS authentication and within that subnet we have IPS devices which requires a RADIUS authentication.

 

Version and patch : V 2.4.0.357 Patch 13

 

Query :

 

  1. Is it possible to have RADIUS authentication enabled for the IPS device which comes within the subnet and which is already onboarded in ISE for TACACS authentication.
  2. If yes do I need to onboard the IPS devices separately?
  3. If I onboard the IPS separately will ISE allow me to Onboard the devices? since it is already a part of the subnet and will it consider to be a duplicate one?

 

Example :

 

Subnet onboarded for ISE TACACS is 10.2.2.0/24 , IPS IP's are 10.2.2.2 and 10.2.2.3.

 

Now I need to onboard the IPS devices10.2.2.2 and 10.2.2.3 (RADIUS Authentication) but 10.2.2.0/24 is already in ISE for TACACS authentication.

 

Kindly help me with this scenario.

 

 

2 Replies 2

Amine ZAKARIA
Spotlight
Spotlight

Hello,


1.Is it possible to have RADIUS authentication enabled for the IPS device which comes within the subnet and which is already onboarded in ISE for TACACS authentication. Yes it's possible


2.If yes do I need to onboard the IPS devices separately? Again yes you should create a network device for these 2 ips as /32 for radius with the preshared key.

 

IIS.JPG

3.If I onboard the IPS separately will ISE allow me to Onboard the devices? since it is already a part of the subnet and will it consider to be a duplicate one? In your case ISE will not complain about the duplication creation as long as the NAD will be declared as /32.

 

Hope that helps!

thomas
Cisco Employee
Cisco Employee

RADIUS and TACACS are separate protocols supported by ISE.

You may individually enable each protocol per device or device subnet under Administration > Network Resources > Network Devices:

image.png

To "onboard" the devices for RADIUS you would simply check the box in your device subnet configuration in ISE as shown above and provide the RADIUS shared secret similar to what you did with TACACS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: