08-02-2021 01:22 PM
Hello ,
We have an entire subnet onboarded for TACACS authentication and within that subnet we have IPS devices which requires a RADIUS authentication.
Version and patch : V 2.4.0.357 Patch 13
Query :
Example :
Subnet onboarded for ISE TACACS is 10.2.2.0/24 , IPS IP's are 10.2.2.2 and 10.2.2.3.
Now I need to onboard the IPS devices10.2.2.2 and 10.2.2.3 (RADIUS Authentication) but 10.2.2.0/24 is already in ISE for TACACS authentication.
Kindly help me with this scenario.
08-02-2021 02:45 PM
Hello,
1.Is it possible to have RADIUS authentication enabled for the IPS device which comes within the subnet and which is already onboarded in ISE for TACACS authentication. Yes it's possible
2.If yes do I need to onboard the IPS devices separately? Again yes you should create a network device for these 2 ips as /32 for radius with the preshared key.
3.If I onboard the IPS separately will ISE allow me to Onboard the devices? since it is already a part of the subnet and will it consider to be a duplicate one? In your case ISE will not complain about the duplication creation as long as the NAD will be declared as /32.
Hope that helps!
08-04-2021 11:27 AM
RADIUS and TACACS are separate protocols supported by ISE.
You may individually enable each protocol per device or device subnet under Administration > Network Resources > Network Devices:
To "onboard" the devices for RADIUS you would simply check the box in your device subnet configuration in ISE as shown above and provide the RADIUS shared secret similar to what you did with TACACS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide