cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

877
Views
5
Helpful
2
Replies
daan.celie
Beginner

TACACS AD authentication with alias

Hello community

 

I'm currently preparing a migration from ACS to ISE 3.0. We use ACS as TACACS service for all our switches and we have local user accounts. Because of security recommendations I'd like to move away from local accounts to AD authentication. However, our AD accounts are some random numbers and all our device admins are used to authenticate with a very simple 2-letter acronym of their name. We cannot make any changes to AD as this is managed by a whole other team.

 

My question thus is, can we somehow map an alias to an AD-account name in ISE? For example, a device admin named Steve Johnson, logs in with credential SJ, but his AD account is T1598863.

 

Thanks

2 REPLIES 2
marce1000
VIP Advisor

 

               >I'd like to move away from local accounts to AD authentication

 In case of network lockups it may be desirable to keep a local account available too on a switch.

              >can we somehow map an alias to an AD-account name in ISE

 - I doubt this can be done, but even it could. Remember ISE is a corner-stone of your Intranet security environment. Good integration or communication with the AD-admin group is therefore strongly recommended.

 M.

Not really what it's meant for but I used identity rewrite to achieve this. It's only 10 people or so that manage the switches on a daily basis so it's manageable with identity rewrite.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel