In this blog post, I'm going to add my network access devices (NADs) to my ISE deployment. These are the devices that will be sending RADIUS requests and profiling information to ISE about endpoints on the network and, depending on the policy, ISE will be returning an authorization profile which will give the access device instructions on how to treat that endpoint.
The first thing I like to do prior to adding the NADs is to create logical grouping for them such as their location, device type, etc. Navigate to Administration>Network Resources>Network Device Groups. We have a default grouping of All Device Types and All Locations. For my lab, I'm going to create the following groups: Switches, Virtual Switch, and Wireless Controller under the parent group of All Device Types. I will also create the SecurityLab group under the parent group of All Locations as detailed in the below screenshot:
After creating my groups, I'm going to add my NADs.
To add these devices, navigate to Administration>Network Resources>Network Devices and clickAdd. While I'm adding my devices, I always make sure to add the device to the logical groups I created for Device Type and Location:
Check the box next to RADIUS Authentication Settings and keep everything at it's default except add a secret in the Shared Secret field. In this case, I'm going to use networknode as my secret:
Check the box next to TACACS+ Authentication Settings and enter your preferred shared secret:
Check the box next to SNMP Settings. You have several SNMP settings you can choose but for the purpose of the lab, I'm going to stick with selecting 2c on the SNMP Version drop-down. Under theSNMP RO Community field, enter the community string of your choosing. You can adjust the polling interval and originating PSN if you choose to do so but since this is a lab, I only have one PSN so there's no need to make any adjustments:
Leave the Trustsec box unchecked for now. We will go over that in a separate TrustSec. ClickSubmit when you are done configuring your NAD.
Do the above for all the NADs in your deployment or lab.
I tested using both Cisco ISE 2.4 (patch 9) and Cisco ISE 2.6 (patch 1). I have a user who successfully authenticated via RADIUS against ISE. Under ISE, Operations > Live Logs (and Live sessions), I see the user authenticated. After the accounting requ...
Hello,I would like to download ESA software for C695. But I cannot find any versions for this model.https://software.cisco.com/download/home/282509130Does anyone know how to find it and download it? Thank you!SH SHAO
Hello everyone, So I have a Cisco Firepower 2110 firewall with ASA version 9.8.2 and I'm using ASDM 7.8(2) to configure it. I have a strange dilemma that when I try to configure my interfaces is does not let me alter the ports media type from rj45 to...
Hello, We have a server on our internal network that we are currently using port forwarding to allow accessibility from the outside and I am considering placing it in a DMZ to limit potential attack surface. The problem is that clients on the inside ...
I have an ISP in Australia that requires VLAN 100 to connect to the Internet. This is pure data. It is Australia's NBN system. They have handed us a .252 Public IP to use on our Firewall with a default route to the upstream router they are using for...