05-04-2018 11:34 AM - edited 02-21-2020 10:55 AM
I'm attempting to import network devices into ISE 2.4.
Following the template found in https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01001.pdf
The documentation says that Authentication:Protocol:String(6) is optional and the only valid value is "RADIUS".
My import is failing with the message: Failed Value for attribute Protocol is mandatory
Putting TACACS in that field is rejected.
Putting RADIUS in that field is accepted, however then I believe I need to manually edit each device to uncheck Radius (I have tens of thousands of devices so this is not very practical).
Any suggestions?
Solved! Go to Solution.
06-19-2018 10:36 AM
I just finished testing. In order to enable TACACS on the device and avoid errors when importing the CSV, Column G of the template must be empty because it is only for RADIUS. Column H also empty because is related to G.
05-04-2018 12:32 PM
05-04-2018 01:53 PM
Yes, I tried that. If Radius isn't selected the Authentication:Protocol field is left blank on export.
05-04-2018 12:32 PM
Did you get the template directly from ISE or did you create it yourself based on the values in the document?
This might be a bug or something in your version of ISE I just tried with 2.3 and left the Authentication:Protocol:String(6) value blank for the TACACS devices and they were imported without issue.
I got the template from the Import Device page of ISE with the Generate A Template link
06-18-2018 06:24 AM
hi,
did you ever manage to resolve this issue? I am having the same issue and generating a template doesn't work either. I honestly do not want to add thousands of switches manually.
any assistance would be greatly appreciated.
Thank you
Clint
06-18-2018 07:56 AM - edited 06-19-2018 07:20 AM
Post modified. I realized that you are asking for network devices not endpoints.
06-18-2018 10:21 PM
Sorry. how is this going to work? i need to import a boat load of switches, how is a mac address, endpoint and endpoint id group going to move the switches into the correct network device group with the associated ip, mask, name and shared secret?
Do you understand what we are trying to achieve here?
06-19-2018 07:47 AM
Let me give a try to the import a Network Device into my ISE 2.3 using the template from this version. I will fill out the columns with 2 entries manually.
06-19-2018 07:44 AM - edited 06-19-2018 10:37 AM
IF you have an ACS, export the NETWORK DEVICES DB (see this link:
https://supportforums.cisco.com/t5/aaa-identity-and-nac/acs-5-2-network-devices-export/td-p/1664489
Compare the columns with the template from ISE 2.3 or 2.4 (whatever you want to use) to verify they are the same (I did not do that because I migrated my ACS into ISE 2.3 following the corresponding procedure so all the network devices were moved with no issues - I am running RADIUS/TACACS on ISE 2.3). If they are not the same, just copy and paste on the 2.3 or 2.4 template the values for the corresponding column. You still has manual work to do if you are not migrating from ACS as I said before.
AND I would not go with ISE 2.4 because it is not mature enough (we have talked to Cisco BU about it). However, it is up to you.
06-19-2018 07:53 AM - edited 06-19-2018 10:36 AM
removed
06-19-2018 10:36 AM
I just finished testing. In order to enable TACACS on the device and avoid errors when importing the CSV, Column G of the template must be empty because it is only for RADIUS. Column H also empty because is related to G.
11-14-2018 10:32 AM
This is the oddest thing, because if I do an export in ISE 2.4, I get TACACS_PLUS or RADIUS in column G, but when I try to reimport the devices, it barks that TACACS_PLUS is an invalid value.
After deleting TACACS_PLUS from column G, it works with no issues.
06-21-2018 07:33 PM
Just to update this forum for anyone using ISE 2.4, complete the spreadsheet as normal, but the in Radius column type Radius, even though it will use the Tacacs details for some reason it wants Radius listed in the column.
i imported over 1000 switches with no issues once i added Radius in the column.
06-22-2018 08:09 AM
To be more precise,
Columns G (Authentication:Protocol:String(6)) and H (Authentication:Shared Secret:String(128)) of the template for importing device list to ISE are RADIUS related. So if you need to import devices for Radius AUTHC Only use those ones.
Column AN (TACACS:Shared Secret:String(128)) is the one for TACACS AUTHC so if you only use this authentication mechanism, then leave columns G and H empty.
If you want to use TACACS and RADIUS for the network device, Columns G, H and AN must be completed.
11-20-2018 07:00 PM
@clint.naude wrote:
Just to update this forum for anyone using ISE 2.4, complete the spreadsheet as normal, but the in Radius column type Radius, even though it will use the Tacacs details for some reason it wants Radius listed in the column.
i imported over 1000 switches with no issues once i added Radius in the column.
Really??? Because I just lost my entire device database (filter something, and the "Delete All" button SHOULD just delete the filtered devices, NOT THE ENTIRE DATABASE).
I'm trying to reimport my devices with column G empty, and the thing stores the shared secret, but DOES NOT ENABLE TACACS FOR THE DEVICE!!!!!!!!!
I'm dying here. First it deletes everything and now it won't accept everything back.
Ah, yes, and the backup is not working so that's a no-go (besides we updated a bunch of rules in the last month).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: