cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3266
Views
65
Helpful
18
Replies
Highlighted
Beginner

Import Network Devices into ISE 2.4 Authentication Protocol Required?

I'm attempting to import network devices into ISE 2.4.

Following the template found in https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01001.pdf

 

The documentation says that Authentication:Protocol:String(6) is optional and the only valid value is "RADIUS".

 

My import is failing with the message: Failed Value for attribute Protocol is mandatory

Putting TACACS in that field is rejected.

Putting RADIUS in that field is accepted, however then I believe I need to manually edit each device to uncheck Radius (I have tens of thousands of devices so this is not very practical).

 

Any suggestions?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
ajc Frequent Contributor
Frequent Contributor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

I just finished testing. In order to enable TACACS on the device and avoid errors when importing the CSV, Column G of the template must be empty because it is only for RADIUS. Column H also empty because is related to G. 

 

 

 

 

18 REPLIES 18
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

Hi,
I don't have access to ISE right now to double check for you, but what I usually do is manually configure 1 NAD with all the values I need. I then export this into a csv, and use that file as the source template. It should therefore have all the fields filled in correctly and hopefully you can then use this as a basis for the import.

If this doesn't work, let me know and I can access my ISE 2.4 in the lab.

HTH
Beginner

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

Yes, I tried that.  If Radius isn't selected the Authentication:Protocol field is left blank on export.

Participant

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

Did you get the template directly from ISE or did you create it yourself based on the values in the document?

 

This might be a bug or something in your version of ISE I just tried with 2.3 and left the Authentication:Protocol:String(6) value blank for the TACACS devices and they were imported without issue.

 

I got the template from the Import Device page of ISE with the Generate A Template link

Beginner

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

hi,

 

did you ever manage to resolve this issue? I am having the same issue and generating a template doesn't work either. I honestly do not want to add thousands of switches manually.

 

any assistance would be greatly appreciated.

 

Thank you 

Clint

ajc Frequent Contributor
Frequent Contributor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

Post modified. I realized that you are asking for network devices not endpoints.

Beginner

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

Sorry. how is this going to work? i need to import a boat load of switches, how is a mac address, endpoint and endpoint id group going to move the switches into the correct network device group with the associated ip, mask, name and shared secret?

 

Do you understand what we are trying to achieve here?

ajc Frequent Contributor
Frequent Contributor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

Let me give a try to the import a Network Device into my ISE 2.3 using the template from this version. I will fill out the columns with 2 entries manually.

ajc Frequent Contributor
Frequent Contributor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

IF you have an ACS, export the NETWORK DEVICES DB (see this link:

 

https://supportforums.cisco.com/t5/aaa-identity-and-nac/acs-5-2-network-devices-export/td-p/1664489

 

Compare the columns with the template from ISE 2.3 or 2.4 (whatever you want to use) to verify they are the same (I did not do that because I migrated my ACS into ISE 2.3 following the corresponding procedure so all the network devices were moved with no issues - I am running RADIUS/TACACS on ISE 2.3). If they are not the same, just copy and paste on the 2.3 or 2.4 template the values for the corresponding column. You still has manual work to do if you are not migrating from ACS as I said before.

 

AND I would not go with ISE 2.4 because it is not mature enough (we have talked to Cisco BU about it). However, it is up to you.

ajc Frequent Contributor
Frequent Contributor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

removed

ajc Frequent Contributor
Frequent Contributor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

I just finished testing. In order to enable TACACS on the device and avoid errors when importing the CSV, Column G of the template must be empty because it is only for RADIUS. Column H also empty because is related to G. 

 

 

 

 

Beginner

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

This is the oddest thing, because if I do an export in ISE 2.4, I get TACACS_PLUS or RADIUS in column G, but when I try to reimport the devices, it barks that TACACS_PLUS is an invalid value.

After deleting TACACS_PLUS from column G, it works with no issues.

Beginner

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

Just to update this forum for anyone using ISE 2.4, complete the spreadsheet as normal, but the in Radius column type Radius, even though it will use the Tacacs details for some reason it wants Radius listed in the column.

i imported over 1000 switches with no issues once i added Radius in the column.

harmon.PNG

 

 

ajc Frequent Contributor
Frequent Contributor

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

To be more precise,

 

Columns G (Authentication:Protocol:String(6)) and H (Authentication:Shared Secret:String(128)) of the template for importing device list to ISE are RADIUS related. So if you need to import devices for Radius AUTHC Only use those ones.

 

Column AN (TACACS:Shared Secret:String(128)) is the one for TACACS AUTHC so if you only use this authentication mechanism, then leave columns G and H empty.

 

If you want to use TACACS and RADIUS for the network device, Columns G, H and AN must be completed.

 

 

 

 

Beginner

Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?


@clint.naude wrote:

Just to update this forum for anyone using ISE 2.4, complete the spreadsheet as normal, but the in Radius column type Radius, even though it will use the Tacacs details for some reason it wants Radius listed in the column.

i imported over 1000 switches with no issues once i added Radius in the column.

harmon.PNG

 

 


Really??? Because I just lost my entire device database (filter something, and the "Delete All" button SHOULD just delete the filtered devices, NOT THE ENTIRE DATABASE).

I'm trying to reimport my devices with column G empty, and the thing stores the shared secret, but DOES NOT ENABLE TACACS FOR THE DEVICE!!!!!!!!!

I'm dying here.  First it deletes everything and now it won't accept everything back.

Ah, yes, and the backup is not working so that's a no-go (besides we updated a bunch of rules in the last month).