Solved: Re: Import Network Devices into ISE 2.4 Authentication Protocol Required?

kevink707 · ‎05-04-2018

I'm attempting to import network devices into ISE 2.4.

Following the template found in https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01001.pdf

The documentation says that Authentication:Protocol:String(6) is optional and the only valid value is "RADIUS".

My import is failing with the message: Failed Value for attribute Protocol is mandatory

Putting TACACS in that field is rejected.

Putting RADIUS in that field is accepted, however then I believe I need to manually edit each device to uncheck Radius (I have tens of thousands of devices so this is not very practical).

Any suggestions?

ajc · ‎06-19-2018

I just finished testing. In order to enable TACACS on the device and avoid errors when importing the CSV, Column G of the template must be empty because it is only for RADIUS. Column H also empty because is related to G.

View solution in original post

Rob Ingram · ‎05-04-2018

Hi,
I don't have access to ISE right now to double check for you, but what I usually do is manually configure 1 NAD with all the values I need. I then export this into a csv, and use that file as the source template. It should therefore have all the fields filled in correctly and hopefully you can then use this as a basis for the import.

If this doesn't work, let me know and I can access my ISE 2.4 in the lab.

HTH

kevink707 · ‎05-04-2018

Yes, I tried that. If Radius isn't selected the Authentication:Protocol field is left blank on export.

Ben Walters · ‎05-04-2018

Did you get the template directly from ISE or did you create it yourself based on the values in the document?

This might be a bug or something in your version of ISE I just tried with 2.3 and left the Authentication:Protocol:String(6) value blank for the TACACS devices and they were imported without issue.

I got the template from the Import Device page of ISE with the Generate A Template link

clint.naude · ‎06-18-2018

hi,

did you ever manage to resolve this issue? I am having the same issue and generating a template doesn't work either. I honestly do not want to add thousands of switches manually.

any assistance would be greatly appreciated.

Thank you

Clint

ajc · ‎06-18-2018

Post modified. I realized that you are asking for network devices not endpoints.

clint.naude · ‎06-18-2018

Sorry. how is this going to work? i need to import a boat load of switches, how is a mac address, endpoint and endpoint id group going to move the switches into the correct network device group with the associated ip, mask, name and shared secret?

Do you understand what we are trying to achieve here?

ajc · ‎06-19-2018

Let me give a try to the import a Network Device into my ISE 2.3 using the template from this version. I will fill out the columns with 2 entries manually.

ajc · ‎06-19-2018

IF you have an ACS, export the NETWORK DEVICES DB (see this link:

https://supportforums.cisco.com/t5/aaa-identity-and-nac/acs-5-2-network-devices-export/td-p/1664489

Compare the columns with the template from ISE 2.3 or 2.4 (whatever you want to use) to verify they are the same (I did not do that because I migrated my ACS into ISE 2.3 following the corresponding procedure so all the network devices were moved with no issues - I am running RADIUS/TACACS on ISE 2.3). If they are not the same, just copy and paste on the 2.3 or 2.4 template the values for the corresponding column. You still has manual work to do if you are not migrating from ACS as I said before.

AND I would not go with ISE 2.4 because it is not mature enough (we have talked to Cisco BU about it). However, it is up to you.

ajc · ‎06-19-2018

removed

ajc · ‎06-19-2018

I just finished testing. In order to enable TACACS on the device and avoid errors when importing the CSV, Column G of the template must be empty because it is only for RADIUS. Column H also empty because is related to G.

cnegrete · ‎11-14-2018

This is the oddest thing, because if I do an export in ISE 2.4, I get TACACS_PLUS or RADIUS in column G, but when I try to reimport the devices, it barks that TACACS_PLUS is an invalid value.

After deleting TACACS_PLUS from column G, it works with no issues.

clint.naude · ‎06-21-2018

Just to update this forum for anyone using ISE 2.4, complete the spreadsheet as normal, but the in Radius column type Radius, even though it will use the Tacacs details for some reason it wants Radius listed in the column.

i imported over 1000 switches with no issues once i added Radius in the column.

ajc · ‎06-22-2018

To be more precise,

Columns G (Authentication:Protocol:String(6)) and H (Authentication:Shared Secret:String(128)) of the template for importing device list to ISE are RADIUS related. So if you need to import devices for Radius AUTHC Only use those ones.

Column AN (TACACS:Shared Secret:String(128)) is the one for TACACS AUTHC so if you only use this authentication mechanism, then leave columns G and H empty.

If you want to use TACACS and RADIUS for the network device, Columns G, H and AN must be completed.

cnegrete · ‎11-20-2018

@clint.naude wrote:

Just to update this forum for anyone using ISE 2.4, complete the spreadsheet as normal, but the in Radius column type Radius, even though it will use the Tacacs details for some reason it wants Radius listed in the column.

i imported over 1000 switches with no issues once i added Radius in the column.

Really??? Because I just lost my entire device database (filter something, and the "Delete All" button SHOULD just delete the filtered devices, NOT THE ENTIRE DATABASE).

I'm trying to reimport my devices with column G empty, and the thing stores the shared secret, but DOES NOT ENABLE TACACS FOR THE DEVICE!!!!!!!!!

I'm dying here. First it deletes everything and now it won't accept everything back.

Ah, yes, and the backup is not working so that's a no-go (besides we updated a bunch of rules in the last month).