In today’s fast-paced world, where organizations are constantly faced with security threats and changing technologies, the role of Cisco Identity Services Engine (ISE) is more important than ever. ISE plays a crucial role in enabling organizations to secure their networks and data by providing a comprehensive solution for identity and access management.
In this blog, we will discuss the configuration of device administration using the Identity Service Engine [ISE]. As you know, a network device can be configured by CLI or GUI. The network device is used to perform hundreds of operations in order to fulfill the business requirements of a customer. We can control the access to a network device in terms of who can access the device and what it can do.
What is ISE?
Identity Service Engine is a software-based platform offered by Cisco. It is mainly used to control network access and policy enforcement systems. It functions as a centralized policy engine that enables endpoint access control and network device administration for enterprise networks. Cisco is making continuous improvements to ISE, and the latest version of ISE is 2.6.
Device Administration
The network device can be accessed through the CLI and GUI in order to make the required configurations on it. A network is managed by a number of network administrators, each with different responsibilities and roles. Device administration is the process of controlling the access to a network device.
The device’s administration involves three actions:
Authentication -> It is a process of verifying the identity of a user.
Authorization ->It is a process of defining the level of control the user has.
Accounting -> A process to keep records of user activities.
In short, it is known as AAA.
There are two types of AAA: Local and Remote. Let’s look into them in this blog.
Local AAA
The network device can be configured to perform the AAA functions locally. Authentication can be performed using a common password or with different usernames. Authorization can be performed using the privilege level or parser view.
Accounting cannot be done locally on the device.
In a separate blog, I will go over how to configure Local AAA.
Remote AAA
Network devices can be configured to go to a centralized box offering AAA functions. The Access Control System [ACS] is a software-based solution developed by Cisco for providing AAA functions. Nowadays, we are using a very advanced AAA server developed by Cisco known as the Identity Service Engine [ISE].
The main difference between ACS and ISE is shown in the table below:
Let’s see the configuration.
I will be using the following diagram.
SSH CONFIGURATION
IP CONFIGURATION
AAA CONFIGURATION
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE none
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 10 LVL_10 tacacs group+
TACACS+ SERVER CONFIGURATION
tacacs server TACACS
IPv4 address 192.168.11.100
key cisco
exit
NOTE: key is used to perform authentication between the network device and the AAA server.
VTY LINE CONFIGURATION
vty 0 4 line
10 LVL_10 authorisation commands
Login authentication default
default authorisation exec
transport input ssh
exit
ISE CONFIGURATION
Step 1:- Enable Device administration on ISE
Administration > System > Deployment > Deployment Nodes
Step1. ENABLE DEVICE ADMIN SERVER
Step 2:- Create identities on the ISE [Internal/External]
In this deployment, I have created a user on ISE internally.
Administration > System > Identity Management > Identity > Users
You can assign this user to a group if you want. Please don’t forget to submit the configuration.
Step 3:- Creating Network Devices and Network Device Groups
Administration > System > Network Resources > Network Devices > Add
ISE 2.3 supports 10,000 network device groups with a maximum of 32 characters. I am adding the router to the ISE server. Assign a Name, IP address and TACACS authentication settings. Please ensure that the shared secret on the network device and the ISE server is the same, or authentication will fail.
Step 4:- Create a TACACS profile.
TACACS profile allows you to define the minimum and maximum privilege level with additional attributes like ACL, auto-command, timeout, idle timeout, etc.
Work Centers > Device Administration > Policy Elements > TACACS profiles
Tacacs profile Common Task Type:
Shell –> IOS-XE devices
WLC –> Wireless Controller
Nexus –> Nexus Devices
Generic –> Non-Cisco devices
Hey!
Please don’t forget to submit the configuration.
Step 5 :- Define a command set for the Tacacs profile.
Work Centers > Device Administration > Policy Elements > TACACS Command Sets
If you check this option, all commands will be allowed.
Step 6 :- Define a policy set for the device administration.
Work Centers > Device Administration > Policy Elements > Device Admin Policy Sets
Click on “Authentication Policy” and choose “Internal Users.”
Click on “Authorization Policy”:
DEFINE A RULE NAME AND CLICK ON {+}
Dictionary > Internal User > name
USERNAME IS EQUAL TO TEST and Save
Assign a command set and a policy set, and save
TEST
Step 1: Go to the router and enable AAA debugging.
debug aaa authentication
debug aaa authorization
Step 2: Go to the desktop and request an SSH session.
Step3:- DEBUG OUTPUT OF THE ROUTER
You can also check the logs on the ISE.
Operations > TACACS > Live Logs
STEPS FOLLOWED BY ISE
Conclusion
The role of Cisco Identity Services Engine (ISE) in the fast-paced world is critical in enabling organizations to secure their networks, manage a rapidly growing number of devices, adapt quickly to changing technologies and security threats, and manage their networks more efficiently. With its comprehensive solution for identity and access management, ISE helps organizations stay ahead of the curve in a constantly changing and challenging environment.
Cisco ISE Course is a great way to advance your networking knowledge and career. If you’re interested in learning Cisco ISE, Ns3Edu is the right place for you. We provide a comprehensive overview of Cisco ISE, as well as the skills and knowledge necessary to pass Cisco ISE Certification exam.
NS3Edu has a world-class team of certified trainers and advanced lab. Our training includes onsite and online instruction, study guides, practice tests and real-time practice on OEM devices that enhance students’ analytical abilities.
Make the most of your potential with the Cisco ISE Course!
Are you ready to get started?
Visit our website 🌐 : https://ns3edu.com/
We offer a wide range of programs so feel free to contact us at +91 88 000 111 38 or [email protected].