Re: TACACS AD authentication with alias

daan.celie · ‎02-11-2021

Hello community

I'm currently preparing a migration from ACS to ISE 3.0. We use ACS as TACACS service for all our switches and we have local user accounts. Because of security recommendations I'd like to move away from local accounts to AD authentication. However, our AD accounts are some random numbers and all our device admins are used to authenticate with a very simple 2-letter acronym of their name. We cannot make any changes to AD as this is managed by a whole other team.

My question thus is, can we somehow map an alias to an AD-account name in ISE? For example, a device admin named Steve Johnson, logs in with credential SJ, but his AD account is T1598863.

Thanks

marce1000 · ‎02-11-2021

>I'd like to move away from local accounts to AD authentication

In case of network lockups it may be desirable to keep a local account available too on a switch.

>can we somehow map an alias to an AD-account name in ISE

- I doubt this can be done, but even it could. Remember ISE is a corner-stone of your Intranet security environment. Good integration or communication with the AD-admin group is therefore strongly recommended.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

daan.celie · ‎02-12-2021

Not really what it's meant for but I used identity rewrite to achieve this. It's only 10 people or so that manage the switches on a daily basis so it's manageable with identity rewrite.