cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
0
Helpful
7
Replies
Elena.Madrigal
Beginner

Cisco ISE TACACS+ Vendor profiling

Hello

 

I have searched information , but i did not found anything.  I need to identify the vendor of my routers on my ISE deployment to apply diferents tacacs commands sets and policys. I have Cisco and Huawei.

 

 

 

Anyboyd knows a guide or info to do this?

1 ACCEPTED SOLUTION

Accepted Solutions

ISE cannot detect the vendor for purposes of device admin (TACACS+).

The methods you mention are used in device profiling for use with Network Access Control (802.1x and MAB) policy sets.

View solution in original post

7 REPLIES 7
balaji.bandi
VIP Expert

here is for cisco profiling (hope this is what you looking, if not please suggest)

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc13

 

ISE do support other vendors you need to Look matrix

 



BB


*** Rate All Helpful Responses ***

Hello Balaji

 

Tahnks but This is not that i am looking for. I am looking to apply diferent tacacs command set, if the device is huawei or cisco.

I have read this

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html#concept_B395883FDC044AF79B042C2284D900F1

 

But i dont know how to start ...

When you create your NADs, assign each to a device group. Then create your TACACs policy sets with device group as the top level condition / selector. Then, within a given policy set, include your custom command sets etc. for that type of device.

Don't worry about the "profile" when creating the NAD if you are just using it for Device Admin. That profile is more to describe device capabilities for Authorization results for network access policy sets - not for device admin.

Device Admin Policy Sets.PNG

Conditions Studio.PNGNAD.PNG

@Marvin Rhoads  Thanks!! Yes i have already created as you described, But i dont need separate device per IP address. Because i only have one loopbak  IP range with cisco and huawei mixed ... This is the problem.

So I need that ISE detect the vendor with (mac address CDP lldp or some way ,  i dont know) and use this condition to apply the correspondent auth policy for commands sets.

 

ISE cannot detect the vendor for purposes of device admin (TACACS+).

The methods you mention are used in device profiling for use with Network Access Control (802.1x and MAB) policy sets.

View solution in original post

True,  i have solved my problem "tricking" with the auth policies. Creating one profile for both vendors Cisco and  Huawei, including both tacacs+ commands sets. thanks por support!

pieterh
VIP Collaborator

ISE does provide a inventory of what switches / routers it receives radius/tacacs requests from, but this is not vendor profiling!

Vendor profiling is meant to analyze what clients devices want to authenticate, not the network devices / routers in use.
maybe this guide will help ISE Profiling Design Guide

 

Content for Community-Ad