10-03-2018 08:07 AM
My customer has his network devices being managed by an MSP. However, they still want to have a read-only access to all devices. We are wondering how this can be done with TACACS in ISE.
The scenario looks like this
Switch ----- ISE-MSP ---- ISE-CUSTOMER --- CUSTOMER-AD
Between the Switch and ISE-MSP, we are using TACACS to authenticate xxx@MSP.com users for network management
We would like to xxxx@customer.com users authenticate against the customer AD. However how can the MSP enforce a set of commands or privilege level? In Proxy mode, is there a way to make sure ISE-MSP either authorizes the commands or enforces a privilege level?
The MSP does not trust the customer will do the enforcing on ISE-CUSTOMER. Enforcement has to be done either on the switch or ISE-MSP. How can we achieve this?
The customer was thinking of splitting Authentication and Authorization steps in two different systems, but I don't think this can be done. Could a mix of TACACS from switch to ISE-MSP and Radius from ISE-MSP to ISE-CUSTOMER allow for this?
Basically what we are looking for:
10-03-2018 12:21 PM
I haven't tried this before, but can you setup the customer ISE as a RADIUS token proxy and use that as a Identity source in the TACACS rules. It would be the same as doing an MFA solution so it should work.
Their authentication policy would look like:
if username ends with @customer.com then send to RADIUS token server definition for the customer ISE deployment
else send to MSP AD
Then in authorization
if username ends with @customer.com then assign read-only access
else assign access based on MSP AD group membership
When you use a RADIUS token server you just get an accept/deny back which is all the MSP needs. Basically they are asking the customer ISE deployment "Is this username/password correct?"
On the customer ISE deployment they would define a policy set for requests sourced from the MSP ISE deployment. Basically define a device type MSP PSN and then add the MSP PSNs in as network devices. Setup a device type condition for the MSP PSN device type and use that for the policy set. Then the customer can check AD and do whatever groups they want to allow access to the MSP managed routers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide