cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
680
Views
4
Helpful
4
Replies

Infrastructure network device profile and policy question - Thanks!

ancloyd
Cisco Employee
Cisco Employee

Hello ISE team,

Input on the following question is appreciated:  Thanks!

Subject: ISE Network Device Profiles

Andy – Can you send the following challenge up to your ISE team and help us determine if the following is indeed the best we’re going to be able to do…

Goal

  • Create network device profiles for:
    • Switches
    • Firewalls
    • Routers
    • NXOS
    • Custom
    • Default
  • Apply a policy based on device type
    • Switches have a certain set of commands allowed to be run
    • Firewalls have a certain set of commands allowed to be run
    • Routers…

At present, we’re having to add every single device into ISE, and manually map the device profile.

My expectation is that there is some attribute the device has to tell ISE/TACACS “I’m an ASA”, or “I’m a router” with us having to manually define that over and over.

Is this possible, and if so how?

Thanks for your help.

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

There isn't a way I know of.  I always add all the devices into ISE.  There are two reasons for this:

  1. If you ever want to write rules specific for a set of NADs you have them defined individually.
  2. You have maximum reporting options.  If someone asks you to report on TACACS/RADIUS activity from particular NAD you can easily do that.  I know you can do this by NAD IP, but it is nice to have the NADs all named imo.

Adding a NAD takes less then 5 seconds (duplicate existing NAD of same type, change IP, change name) and you can bulk import from a CSV so adding 100s of NADs in a few seconds is also easy. 

You can also define a default network device in ISE and setup a policy for that.  I have done that for large customers so if they forget to add the NAD to ISE a certain set of people will still be able to log into that device with TACACS.

View solution in original post

4 Replies 4

paul
Level 10
Level 10

There isn't a way I know of.  I always add all the devices into ISE.  There are two reasons for this:

  1. If you ever want to write rules specific for a set of NADs you have them defined individually.
  2. You have maximum reporting options.  If someone asks you to report on TACACS/RADIUS activity from particular NAD you can easily do that.  I know you can do this by NAD IP, but it is nice to have the NADs all named imo.

Adding a NAD takes less then 5 seconds (duplicate existing NAD of same type, change IP, change name) and you can bulk import from a CSV so adding 100s of NADs in a few seconds is also easy. 

You can also define a default network device in ISE and setup a policy for that.  I have done that for large customers so if they forget to add the NAD to ISE a certain set of people will still be able to log into that device with TACACS.

Correct as always paul

There is no sensing or handshake built into RADIUS or TACACs protocols, that's up to SNMP

The only time you get any indication of device type is when you use the visibility setup wizard to scan your management network via SNMP but still you need to assign them to device groups etc

The VSW is only used on initial setup of ISE to start showing the rich context ISE is able to provide to the organization

You could submit enhancement request for this.  There was discussion to do this with VSW but not committed.

In addition to import via CSV, there is also ERS API which can create/update virtually all aspects of NAD.  I assume you or customer already has list of all valid access devices. This can be used to mass populate location (very valuable), NAD profile, SNMP and RADIUS/TACACS+ settings, etc.   Note that it is also possible to have multiple NAD profiles for a given vendor, so even then it would be a default vs specific profile.

/Craig

ancloyd
Cisco Employee
Cisco Employee

Thanks all!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: