Currently working on a network refresh. Moving ahead with the following Cisco pack; Dual 4500x distribution switches in VSS and 3850 stack access switches while the wireless environment will be upgraded to dual 5520 WLC’s and 3802i AP’s. Dual Cisco ISE VM’s are also being deployed.
TACACS authentication in Cisco ISE was released in version 2.0. The feature requires a device administration license for the feature to be enabled.
Once the device administration license has been applied, select the checkbox for it under Administration – Deployment and select the ISE nodes.
The next step would be to import your network devices. In particular, Cisco ISE requires the hostname, IP address and TACACS shared secret. There is a template for bulk importing.
Now to tell your network devices to use TACACS authentication for authentication and/or authorisation. Use the TACACS host command and point to ISE servers and configure network devices for the TACACS shared secret.
You must now create a device administration policy which should consist of who can authenticate e.g. Internal/Active directory users and what those users are permitted to access in regards to authorisation. This can be found under Work Centre.
Real time TACACS authentication and authorisation can be viewed and monitored by selecting Operations – TACACS live log.
If you are running wired RADIUS authentication and your device is getting an IP address but when you run the show auth session command on a Cisco switch but the IP address appears as unknown, ensure that the command ‘ip device tracking’ is configured in global configuration.
Cisco ISE profiling works extremely well. For profiling to work, Cisco ISE must have the advanced license installed.
You must also ensure that under Policy – Profiling, select Yes, create matching Identity Group for the devices you would like to profile in your organisation e.g. Microsoft workstations, Apple devices, WYSE devices etc
For an IP Phone to obtain an IP address, you must ensure that the Authorisation Permission or Policy Element – Result has the Voice Domain Permission checked or Cisco AV pair applied.
This will make the IP Phone use the ‘Voice’ domain and will use the switchport voice vlan assignment.
As part of the Authorisation Policy – Permissions or under Policy Elements – Results, you can create and assign downloadable ACL’s for the client and assign the client to a specified vlan. Just tick the Vlan box and enter the Vlan number. Pretty cool Cisco!
Of course as usual the switch/WLC will need to know about the Vlan and any DHCP reservations will need to be setup for the client to obtain an IP address.
Cisco ISE is an identity based network access control and profiling device. There are a lot of fields to get your head around when you first install Cisco ISE. The main components of Cisco ISE is the network profiling, authentication and authorisation policies. Authentication is mainly done through 802.1x or MAB.
Something I found useful is understanding that within the Authorisation Policy there are 3 main fields; Name of the policy, Conditions and Permissions. Conditions can be created and found under Policy Elements. Permissions go by the name of Results under Policy Elements.