Solved: NSO Integration with Cisco ISE

ian.scheidler1 · ‎08-20-2018

Hi,

I have an upcoming PoC with a customer and they asked me today, during install, whether or not (and if yes how) integrates with Cisco ISE (does it?).

I do not know much about ISE beyond the 2min "commercial" I watched on the Cisco homepage just there.

I have signed up for a webinar on ISE but since that doesnt take place too soon I would like to know what I can tell our customer.

If someone could explain, in a nutshell, how ISE works, what it does and how it could be integrated with NSO (if possible) I would be very grateful (links with further info highly appreciated).

Or is it possibly something that doesnt make sense at all? If so, why?

:( ...I could NOT find anything on ISE integration with NSO here: https://community.cisco.com/t5/security-documents/ise-design-amp-integration-guides/ta-p/3621164

rogaglia · ‎08-20-2018

Hi,

You should ask your customer what they want to achieve from this integration.

If it is simple external authentication, this is supported today.

If it is a closer policy integration, I believe the BU is exploring how to get this done but it would also be possible with some work.

Roque

View solution in original post

vleijon · ‎08-21-2018

I want to expand on Roque's answer slightly, and hopefully @frjansso can chime in too since he has worked with ISE.

ISE handles identity, so that is keeping track of which users should belong to which group and which policies to assign between groups. It is meant as a backend for 802.1X or similar.

There is an ISE NED that is used for this integration. We support a few different things including setting policies. But as Roque says, ask your customer what they want and it is likely it could be doable if the REST interface supports it.

View solution in original post

rogaglia · ‎08-20-2018

Hi,

You should ask your customer what they want to achieve from this integration.

If it is simple external authentication, this is supported today.

If it is a closer policy integration, I believe the BU is exploring how to get this done but it would also be possible with some work.

Roque

ian.scheidler1 · ‎08-20-2018

Thanks for the fast reply. As far as I understand they want to have the authentication towards the devices (and probably NSO itself) managed by ISE. So what do I put in as auth group info in NSO for instance?...is there sth. on external authentication in the NSO docs? Pointer in the right direction please. Will check the docs anyway tomorrow.

ian.scheidler1 · ‎08-20-2018

Thanks again for the reply.

I just searched the docs and found that there is some info on external authentication in the admin guide, chapter 9.

I will read up on how to configure it.

P.S.: Sorry for not checking the docs first before posting here...was simply easier to write a quick post via my phone as I was in the middle of cooking dinner and making sure my little daughter doesnt watch too much TV.

vleijon · ‎08-21-2018

I want to expand on Roque's answer slightly, and hopefully @frjansso can chime in too since he has worked with ISE.

ISE handles identity, so that is keeping track of which users should belong to which group and which policies to assign between groups. It is meant as a backend for 802.1X or similar.

There is an ISE NED that is used for this integration. We support a few different things including setting policies. But as Roque says, ask your customer what they want and it is likely it could be doable if the REST interface supports it.