cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
0
Helpful
3
Replies

How to authenticate a guest user onto a network device using ISE?

Xavier888
Level 1
Level 1

Hi, 

I'm very new to Cisco ISE. Would anyone be able to advise on how you would create and authenticate a read only guest/level 1 privileged user via TACACS to get access to the switch? 

I've attached a brief part of the switch config. From my understanding, this switch would authenticate against the TACACS+ server and then local if the TACACS+ server fails. I see that the line VTY's/SSH use the TACACS authentication as well. It currently uses VTY_authen profile I believe, lets pretend this is for corporate users. Active directory is also used as an external identity source. 

Previously, I was thinking of just creating a normal username password priv level on the CLI but if TACACS takes priority I'm not sure if that would work?

I've had a brief look on Cisco ISE on how I might do this:

1)Log into ISE > Administration > Identities > Create a read only network device user?

2)Groups > User Identity Groups > Create Guest_ReadOnly group?

3)Add the user to the group. And see if I can add in privilege levels? 

After these steps, I'm unsure what to do next. Do I need to set specific policies in ISE? Will I need to modify any configurations on the switch? Preferably I want to make as minimal changes on the switch as possible, unless unavoidable. 

Any advice or direction to relevant documentation would be greatly appreciated!

Thanks!

 

Thanks!

 

 

 

 

 

 

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Hi, 

 

Yeah essentially just want the user to only have read only access to the switch. So no configuration changes. 

I will check out the documentation you provided, and if any questions ill ask 

thanks

When you configure the read-only TACACS policy on ISE you will be referencing the TACACS authorization rules to TACACS profiles. Those TACACS profiles have the privilege level configured in them. For instance for the read-only TACACS profile you will most likely assign privilege 1 as the default and maximum privilege level. However, say if you want to allow the connected users to land into the network device with privilege level 15 but you don't want them to be allowed to issue all commands, then in that case you can define what commands are allowed and what are denied in the TACACS Command Sets. With regard to the local users fallback, you would need to associate the right privilege level to the users. For the read-only users you would need to associate privilege level 1 as an example, and for the super admins you would associate level 15.