06-28-2017 05:35 AM
If I am not mistaken, with ACS you could use TACACS+ as the NAD protocol to authenticate network users. Looking through the documentation and menus, I do not see that capability in ISE. Is this configuration possible? Or is TACACS+ in ISE solely for Dev Admin?
Solved! Go to Solution.
06-28-2017 01:31 PM
Just to clarify,
Endpoint authentication such as dot1x and MAB, CWA uses RADIUS as a backend protocol. These services generally refers to Network access and RADIUS is used in that context and ACS supports RADIUS. ACS support dot1x and MAB in that context.
Device administration can use TACACS+ or RADIUS. However TACACS+ is the prevalently used method since it support authentication, session authorization, command authorization and accounting. It offers greater flexibility for Device management and audit. RADIUS protocol can be used by Third party devices that do not support TACACS+. RADIUS authorization needs to send the attributes during authorization for that.
ISE has all the protocol support as that of ACS. ISE 2.0 started supporting TACACS+. If you are using ISE version prior to ISE 2.0 you many not see that. TACACS+ is a service that needs to be enabled in the UI under Administration --> Deployment for that ISE node. We have a workcenter for Device administration where you see relevant information.
-Krishnan
06-28-2017 06:27 AM
Hi,
ACS can use T+ for Network Access as long your in no need of EAP which is not supported , hence the use of Radius for NA.
To answer your question ISE uses Radius for Network Access and T+ for Device Management only.
-Danny
06-28-2017 01:31 PM
Just to clarify,
Endpoint authentication such as dot1x and MAB, CWA uses RADIUS as a backend protocol. These services generally refers to Network access and RADIUS is used in that context and ACS supports RADIUS. ACS support dot1x and MAB in that context.
Device administration can use TACACS+ or RADIUS. However TACACS+ is the prevalently used method since it support authentication, session authorization, command authorization and accounting. It offers greater flexibility for Device management and audit. RADIUS protocol can be used by Third party devices that do not support TACACS+. RADIUS authorization needs to send the attributes during authorization for that.
ISE has all the protocol support as that of ACS. ISE 2.0 started supporting TACACS+. If you are using ISE version prior to ISE 2.0 you many not see that. TACACS+ is a service that needs to be enabled in the UI under Administration --> Deployment for that ISE node. We have a workcenter for Device administration where you see relevant information.
-Krishnan
06-28-2017 06:48 AM
Can you please explain the use case
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide