Define Network Devices in Cisco ISE
A network device, such as a switch or a router, is an authentication, authorization, and accounting (AAA) client that sends AAA service requests to Cisco ISE. Defining network devices in Cisco ISE enables interactions between Cisco ISE and network devices.
Configure network devices for RADIUS or TACACS AAA, and Simple Network Management Protocol (SNMP) for the Profiling service to collect Cisco Discovery Protocol and Link Layer Discovery Protocol (LLDP) attributes for profiling endpoints, and TrustSec attributes for Cisco TrustSec devices. A network device that is not defined in Cisco ISE cannot receive AAA services from Cisco ISE.
From the Cisco ISE main menu, choose Add. In the New Network Device window that is displayed, enter the following details to define a network device:
, and click-
Select the vendor profile that fits the network device. The profile includes predefined configurations for the device, such as settings for URL redirect and change of authorization.
-
Configure the RADIUS protocol for RADIUS authentications. When Cisco ISE receives a RADIUS request from a network device, it looks for the corresponding device definition to retrieve the configured shared secret. If Cisco ISE finds the device definition, it obtains the configured shared secret on the device and matches it against the shared secret in the request to authenticate access. If the shared secrets match, the RADIUS server processes the request further based on the policy and configuration. If the shared secrets do not match, a reject response is sent to the network device. A failed authentication report is generated, which provides the failure reason.
-
Configure the TACACS+ protocol for TACACS+ authentications. When Cisco ISE receives a TACACS+ request from a network device, it looks for the corresponding device definition to retrieve the shared secret that is configured. If it finds the device definition, it obtains the shared secret that is configured on the device and matches it against the shared secret in the request to authenticate access. If the shared secrets match, the TACACS+ server processes the request further based on the policy and configuration. If they do not match, a reject response is sent to the network device. A failed authentication report is generated, which provides the failure reason.
-
You can configure the Simple Network Management Protocol (SNMP) in the network device definition for the Profiling service to communicate with the network devices and profile endpoints that are connected to the network devices.
-
You must define Cisco TrustSec-enabled devices in Cisco ISE to process requests from TrustSec-enabled devices that can be part of the Cisco TrustSec solution. Any switch that supports the Cisco TrustSec solution is a Cisco TrustSec-enabled device.
Cisco TrustSec devices do not use IP addresses. Instead, you must define other settings so that Cisco TrustSec devices can communicate with Cisco ISE.
Cisco TrustSec-enabled devices use the TrustSec attributes to communicate with Cisco ISE. Cisco TrustSec-enabled devices, such as the Cisco Nexus 7000 Series Switches, Cisco Catalyst 6000 Series Switches, Cisco Catalyst 4000 Series Switches, and Cisco Catalyst 3000 Series Switches are authenticated using the Cisco TrustSec attributes that you define while adding Cisco TrustSec devices.
Note |
When you configure a network device on Cisco ISE, we recommend that you do not include a backslash (\) as part of the shared secret. This is because when you upgrade Cisco ISE, the backslash will not appear in the shared secret. However, if you reimage Cisco ISE instead of upgrading it, the backslash appears in the shared secret. |
Define a Default Network Device in Cisco ISE
Note |
We recommend that you add the default device definition only for basic RADIUS and TACACS authentications. For advanced flows, you must add a separate device definition for each network device. |
Cisco ISE looks for the corresponding device definition to retrieve the shared secret that is configured in the network device definition when it receives a RADIUS or TACACS request from a network device.
Cisco ISE performs the following procedure when a RADIUS or TACACS request is received:
-
Looks for a specific IP address that matches the one in the request.
-
Looks up the ranges to see if the IP address in the request falls within the range that is specified.
-
If both step 1 and 2 fail, it uses the default device definition (if defined) to process the request.
Cisco ISE obtains the shared secret that is configured in the device definition for that device and matches it against the shared secret in the RADIUS or TACACS request to authenticate access. If no device definitions are found, Cisco ISE obtains the shared secret from the default network device definition and processes the RADIUS or TACACS request.
Network Devices
The windows described in the following sections enable you to add and manage network devices in Cisco ISE.
Network Device Definition Settings
The following tables describe the fields in the Network Devices window, which you can use to configure a network access device in Cisco ISE. The navigation path for this page is , and click Add.
Network Device Settings
The following table describes the fields in the New Network Devices window.
Field Name |
Description |
||
---|---|---|---|
Name |
Enter a name for the network device. You can provide a descriptive name to the network device, which is different from the hostname of the device. The device name is a logical identifier.
|
||
Description |
Enter a description for the device. |
||
IP Address or IP Range |
Choose one of the following from the drop-down list and enter the required values in the fields displayed:
The following are the guidelines for defining the IP addresses and subnet masks, or IP address ranges:
|
||
Device Profile |
Choose the vendor of the network device from the drop-down list. Use the tooltip next to the drop-down list to see the flows and services that the selected vendor's network devices support. The tooltip also displays the RADIUS Change of Authorization (CoA) port and type of URL redirect that is used by the device. These attributes are defined in the device type's network device profile. |
||
Model Name |
Choose the device model from the drop-down list. Use the model name as one of the parameters while checking for conditions in rule-based policies. This attribute is present in the device dictionary. |
||
Software Version |
Choose the version of the software running on the network device from the drop-down list. You can use the software version as one of the parameters while checking for conditions in rule-based policies. This attribute is present in the device dictionary. |
||
Network Device Group |
In the Network Device Group area, choose the required values from the Location, IPSEC, and Device Type drop-down lists. If you do not specifically assign a device to a group, it becomes a part of the default device groups (root network device groups), which is All Locations by location and All Device Types by device type. |
Note |
While using a filter to choose and delete a Network Access Device (NAD) from your Cisco ISE deployment, clear your browser cache to ensure that only chosen NADs are deleted. |
RADIUS Authentication Settings
The following table describes the fields in the RADIUS Authentication Settings area.
Field Name |
Usage Guidelines |
||||
---|---|---|---|---|---|
RADIUS UDP Settings |
|||||
Protocol |
Displays RADIUS as the selected protocol. |
||||
Shared Secret |
Enter the shared secret for the network device. The shared secret is the key that is configured on the network device using the radius-host command with the pac option.
|
||||
Use Second Shared Secret |
Specify a second shared secret to be used by the network device and Cisco ISE.
|
||||
CoA Port |
Specify the port to be used for RADIUS CoA. The default CoA port for the device is defined in the network device profile that is configured for a network device (Network Resources > Network Device Profiles). Click Set To Default to use the default CoA port. >
|
||||
RADIUS DTLS Settings |
|||||
DTLS Required |
If you check the DTLS Required check box, Cisco ISE processes only the DTLS requests from this device. If this option is disabled, Cisco ISE processes both UDP and DTLS requests from this device. RADIUS DTLS provides improved security for Secure Sockets Layer (SSL) tunnel establishment and RADIUS communication. |
||||
Shared Secret |
Displays the shared secret that is used for RADIUS DTLS. This value is fixed and used to compute the Message Digest 5 (MD5) integrity checks. |
||||
CoA Port |
Specify the port to be used for RADIUS DTLS CoA. |
||||
Issuer CA of ISE Certificates for CoA |
Choose the Certificate Authority to be used for RADIUS DTLS CoA from the drop-down list. |
||||
DNS Name |
Enter the DNS name of the network device. If the Enable RADIUS/DTLS Client Identity Verification option is enabled in the RADIUS Settings window ( , Cisco ISE compares this DNS name with the DNS name that is specified in the client certificate to verify the identity of the network device. |
||||
General Settings |
|||||
Enable KeyWrap |
Check the Enable KeyWrap check box only if KeyWrap algorithms are supported by the network device. The network device must be compatible with AES KeyWrap RFC (RFC 3394). This option is used to increase the RADIUS security through an AES KeyWrap algorithm. |
||||
Key Encryption Key |
Enter the encryption key that is used for session encryption (secrecy). |
||||
Message Authenticator Code Key |
Enter the key that is used for keyed Hashed Message Authentication Code (HMAC) calculation over RADIUS messages. |
||||
Key Input Format |
Click one of the following radio buttons:
You can specify the key input format that you want to use to enter the Key Encryption Key and Message Authenticator Code Key so that it matches the configuration on the network device. The value that you specify must be the correct (full) length for the key, and shorter values are not permitted. |
TACACS Authentication Settings
Field Name |
Usage Guidelines |
||
---|---|---|---|
Shared Secret |
A string of text that is assigned to a network device when TACACS+ protocol is enabled. The user must enter the text before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. |
||
Retired Shared Secret is Active |
Displayed when the retirement period is active. |
||
Retire |
Retires an existing shared secret instead of ending it. When you click Retire, a dialog box is displayed. You can click either Yes or No. |
||
Remaining Retired Period |
(Available only if you click Yes in the Retire dialog box) Displays the default value that is specified in You can change the default value, as necessary.The old shared secret remains active for the specified number of days. |
||
End |
(Available only if you click Yes in the Retire dialog box) Ends the retirement period and terminates the old shared secret. |
||
Enable Single Connect Mode |
Check the Enable Single Connect Mode check box to use a single TCP connection for all TACACS communications with the network device. Click one of the following radio buttons:
|
SNMP Settings
The following table describes the fields in the SNMP Settings section.
Field Name |
Usage Guidelines |
||
---|---|---|---|
SNMP Version |
Choose one of the following options from the SNMP Version drop-down list:
|
||
SNMP RO Community |
(Applicable only for SNMP versions 1 and 2c) Enter the Read Only Community string that provides Cisco ISE with a particular type of access to the device.
|
||
SNMP Username |
(Only for SNMP Version 3) Enter the SNMP username. |
||
Security Level |
(Only for SNMP Version 3) Choose one the following options from the Security Level drop-down list:
|
||
Auth Protocol |
(Only for SNMP Version 3 when the security levels Auth or Priv are selected) Choose the authentication protocol that you want the network device to use from the Auth Protocol drop-down list.
|
||
Auth Password |
(Only for SNMP Version 3 when the Auth or Priv security levels are selected) Enter the authentication key. It must be at least eight characters in length. Click Show to display the authentication password that is already configured for the device.
|
||
Privacy Protocol |
(Only for SNMP Version 3 when Priv security level is selected) Choose one of the following options from the Privacy Protocol drop-down list:
|
||
Privacy Password |
(Only for SNMP Version 3 when Priv security level is selected) Enter the privacy key. Click Show to display the privacy password that is already configured for the device.
|
||
Polling Interval |
Enter the polling interval, in seconds. The default value is 3600. |
||
Link Trap Query |
Check the Link Trap Query check box to receive and interpret linkup and linkdown notifications that are received through the SNMP trap. |
||
Mac Trap Query |
Check the Link Trap Query check box to receive and interpret MAC notifications received through the SNMP trap. |
||
Originating Policy Services Node |
Choose the Cisco ISE server to be used to poll for SNMP data, from the Originating Policy Services Node drop-down list. The default value for this field is Auto. Overwrite the setting by choosing a specific value from the drop-down list. |
Advanced TrustSec Settings
The following table describes the fields in the Advanced TrustSec Settings section.
Field Name |
Usage Guidelines |
||
---|---|---|---|
Device Authentication Settings |
|||
Use Device ID for TrustSec Identification |
Check the Use Device ID for TrustSec Identification check box if you want the device name to be listed as the device identifier in the Device ID field. |
||
Device ID |
You can use this field only if you have not checked the Use Device ID for TrustSec Identification check box. |
||
Password |
Enter the password that you have configured in the Cisco TrustSec device's CLI to authenticate the Cisco TrustSec device. Click Show to display the password. |
||
HTTP REST API Settings |
|||
TrustSec Device Notification and Updates |
|||
Device ID |
You can use this field only if you have not checked the Use Device ID for TrustSec Identification check box. |
||
Password |
Enter the password that you have configured in the Cisco TrustSec device's CLI to authenticate the Cisco TrustSec device. Click Show to display the password. |
||
Download Environment Data Every <...> |
Specify the time interval at which the device must download its environment data from Cisco ISE, by choosing the required values from the drop-down lists in this area. You can choose the time interval in seconds, minutes, hours, days, or weeks. The default value is one day. |
||
Download Peer Authorization Policy Every <...> |
Specify the time interval at which the device must download the peer authorization policy from Cisco ISE by choosing the required values from the drop-down lists in this area. You can specify the time interval in seconds, minutes, hours, days, or weeks. The default value is one day. |
||
Reauthentication Every <...> |
Specify the time interval at which the device reauthenticates itself against Cisco ISE after the initial authentication, by choosing the required values from the drop-down lists in this area. You can configure the time interval in seconds, minutes, hours, days, or weeks. For example, if you enter 1000 seconds, the device authenticates itself against Cisco ISE every 1000 seconds. The default value is one day. |
||
Download SGACL Lists Every <...> |
Specify the time interval at which the device downloads SGACL lists from Cisco ISE, by choosing the required values from the drop-down lists in this area. You can configure the time interval in seconds, minutes, hours, days, or weeks. The default value is one day. |
||
Other TrustSec Devices to Trust This Device (TrustSec Trusted) |
Check the Other TrustSec Devices to Trust This Device check box to allow all the peer devices to trust this Cisco TrustSec device. If this check box is not checked, the peer devices do not trust this device, and all the packets that arrive from this device are colored or tagged accordingly. |
||
Send Configuration Changes to Device |
Check the Send Configuration Changes to Device check box if you want Cisco ISE to send Cisco TrustSec configuration changes to the Cisco TrustSec device using CoA or CLI (SSH). Click the CoA or CLI (SSH) radio button, as required. Click the CoA radio button if you want Cisco ISE to send the configuration changes to the Cisco TrustSec device using CoA. Click the CLI (SSH) radio button if you want Cisco ISE to send the configuration changes to the Cisco TrustSec device using the CLI (using the SSH connection). For more information, see Push Configuration Changes to Non-CoA Supporting Devices. |
||
Send From |
From the drop-down list, choose the Cisco ISE node from which the configuration changes must be sent to the Cisco TrustSec device. You can select a PAN or a PSN. If the PSN that you choose is down, the configuration changes are sent to the Cisco TrustSec device using the PAN. |
||
Test Connection |
You can use this option to test the connectivity between the Cisco TrustSec device and the selected Cisco ISE node (PAN or PSN). |
||
SSH Key |
To use this feature, open an SSHv2 tunnel from Cisco ISE to the network device, and use the device's CLI to retrieve the SSH key. You must copy this key and paste it in the SSH Key field for validation. For more information, see SSH Key Validation. |
||
Device Configuration Deployment |
|||
Include this device when deploying Security Group Tag Mapping Updates |
Check the Include this device when deploying Security Group Tag Mapping Updates check box if you want the Cisco TrustSec device to obtain the IP-SGT mappings using the device interface credentials. |
||
EXEC Mode Username |
Enter the username that you use to log in to the Cisco TrustSec device. |
||
EXEC Mode Password |
Enter the device password. Click Show to view the password.
|
||
Enable Mode Password |
(Optional) Enter the enable password that is used to edit the configuration of the Cisco TrustSec device in privileged EXEC mode. Click Show to view the password. |
||
Out Of Band TrustSec PAC |
|||
Issue Date |
Displays the issuing date of the last Cisco TrustSec PAC that was generated by Cisco ISE for the Cisco TrustSec device. |
||
Expiration Date |
Displays the expiration date of the last Cisco TrustSec PAC that was generated by Cisco ISE for the Cisco TrustSec device. |
||
Issued By |
Displays the name of the issuer (a Cisco TrustSec administrator) of the last Cisco TrustSec PAC that was generated by Cisco ISE for the Cisco TrustSec device. |
||
Generate PAC |
Click the Generate PAC button to generate the out-of-band Cisco TrustSec PAC for the Cisco TrustSec device. |
Default Network Device Definition Settings
The following table describes the fields in the Default Network Device window, with which you configure a default network device that Cisco ISE can use for RADIUS or TACACS+ authentication. Choose one of the following navigation paths:
Field Name |
Usage Guidelines |
||
---|---|---|---|
Default Network Device Status |
Choose Enable from the Default Network Device Status drop-down list to enable the default network device definition.
|
||
Device Profile |
Displays Cisco as the default device vendor. |
||
RADIUS Authentication Settings |
|||
Enable RADIUS |
Check the Enable RADIUS check box to enable RADIUS authentication for the device. |
||
RADIUS UDP Settings |
|||
Shared Secret |
Enter a shared secret. The shared secret can be up to 127 characters in length. The shared secret is the key that you have configured on the network device using the radius-host command with the pac keyword.
|
||
RADIUS DTLS Settings |
|||
DTLS Required |
If you check the DTLS Required check box, Cisco ISE processes only the DTLS requests from this device. If this option is disabled, Cisco ISE processes both UDP and DTLS requests from this device. RADIUS DTLS provides improved security for SSL tunnel establishment and RADIUS communication. |
||
Shared Secret |
Displays the shared secret that is used for RADIUS DTLS. This value is fixed and is used to compute the MD5 integrity checks. |
||
Issuer CA of ISE Certificates for CoA |
Choose the certificate authority to be used for RADIUS DTLS CoA from the Issuer CA of ISE Certificates for CoA drop-down list. |
||
General Settings |
|||
Enable KeyWrap |
(Optional) Check the Enable KeyWrap check box only if KeyWrap algorithms are supported on the network device, which increases RADIUS security through an AES KeyWrap algorithm. |
||
Key Encryption Key |
Enter an encryption key to be used for session encryption (secrecy) when you enable KeyWrap. |
||
Message Authenticator Code Key |
Enter the key that is used for keyed Hashed Message Authentication Code (HMAC) calculation over RADIUS messages when you enable KeyWrap. |
||
Key Input Format |
Choose one of the following formats by clicking the corresponding radio button, and enter values in the Key Encryption Key and Message Authenticator Code Key fields:
Specify the key input format that you want to use to enter the Key Encryption Key and Message Authenticator Code Key so that it matches the configuration on the network device. The value that you specify must be the correct (full) length for the key. Shorter values are not permitted. |
||
TACACS Authentication Settings |
|||
Shared Secret |
Enter a string of text to assign to a network device when the TACACS+ protocol is enabled. Note that a user must enter the text before the network device authenticates a username and password. The connection is rejected until the user supplies the shared secret. |
||
Retired Shared Secret is Active |
Displayed when the retirement period is active. |
||
Retire |
Retires an existing shared secret instead of ending it. When you click Retire, a dialog box is displayed. Click Yes or No. |
||
Remaining Retired Period |
(Optional) Available only if you click Yes in the Retire dialog box. Displays the default value that is specified in the window. You can change the default values. This allows a new shared secret to be entered. The old shared secret remains active for the specified number of days. |
||
End |
(Optional) Available only if you select Yes in the Remaining Retired Period dialog box. Ends the retirement period and terminates the old shared secret. |
||
Enable Single Connect Mode |
Check the Enable Single Connect Mode check box to use a single TCP connection for all TACACS+ communication with the network device. Click one of the following the radio buttons:
|
Network Device Import Settings
Field Name |
Usage Guidelines |
---|---|
Generate a Template |
Click Generate a Template to create a comma-separated value (CSV) template file. Update the template with network devices information in the CSV format and save it locally. Then, use the edited template to import network devices into any Cisco ISE deployment. |
File |
Click Choose File to choose the CSV file that you have recently created, or previously exported from a Cisco ISE deployment. You can import network devices into another Cisco ISE deployment with new and updated network devices information, by using the Import option. |
Overwrite Existing Data with New Data |
Check the Overwrite Existing Data with New Data check box to replace the existing network devices with the devices in your import file. If you do not check this check box, new network device definitions that are available in the import file are added to the network device repository. Duplicate entries are ignored. |
Stop Import on First Error |
Check the Stop Import on First Error check box if you want Cisco ISE to discontinue import when it encounters an error during import. Cisco ISE imports network devices until the time of an error. If this check box is not checked and an error is encountered, the error is reported and Cisco ISE continues to import the remaining devices. |
Add a Network Device in Cisco ISE
You can add a network device in Cisco ISE or use the default network device.
You can also add a network device in the Network Devices ( ) window.
Before you begin
Procedure
Step 1 |
Choose . |
Step 2 |
Click Add. |
Step 3 |
Enter the corresponding values in the Name, Description, and IP Address fields. |
Step 4 |
Choose the required values from the Device Profile, Model Name, Software Version, and Network Device Group drop-down lists. |
Step 5 |
(Optional) Check the RADIUS Authentication Settings check box to configure the RADIUS protocol for authentication. |
Step 6 |
(Optional) Check the TACACS Authentication Settings check box to configure the TACACS protocol for authentication. |
Step 7 |
(Optional) Check the SNMP Settings check box to configure SNMP for the Cisco ISE profiling service to collect information from the network device. |
Step 8 |
(Optional) Check the Advanced Trustsec Settings check box to configure a Cisco TrustSec-enabled device. |
Step 9 |
Click Submit. |
Import Network Devices into Cisco ISE
To enable Cisco ISE to communicate with network devices, you must add device definitions of the network devices in Cisco ISE. Import device definitions of network devices into Cisco ISE through the Network Devices window (From the main menu, choose ).
Import a list of device definitions into a Cisco ISE node using a comma-separated value (CSV) file. A CSV template file is available when you click Import in the Network Devices window. Download this file, enter the required device definitions, and then upload the edited file through the Import window.
You cannot execute multiple imports of the same resource type at the same time. For example, you cannot concurrently import network devices from two different import files.
When you import a CSV file of device definitions, you can either create new records or update existing records by clicking the Overwrite Existing Data with New Data option.
Import templates may vary in each Cisco ISE. Do not import CSV files of network devices that have exported from a different Cisco ISE release. Enter the details of the network devices in the CSV template file for your release, and import this file into Cisco ISE.
Note |
You can import the network devices with IP ranges in all the octets. |
Procedure
Step 1 |
Choose . |
Step 2 |
Click Import. |
Step 3 |
In the Import Network Devices window that is displayed, click Generate A Template to download a CSV file that you can edit and then import it into Cisco ISE with the required details. |
Step 4 |
Click Choose File to choose the CSV file from the system that is running the client browser. |
Step 5 |
(Optional) Check the for Overwrite Existing Data with New Data and Stop Import on First Errorcheck boxes, as required. |
Step 6 |
Click Import. After the file import is complete, Cisco ISE displays a summary message. This message includes the import status (successful or unsuccessful), number of errors encountered, if any, and the total processing time taken for the file import process. |
Export Network Devices from Cisco ISE
Export the device definitions of the network devices that are available in a Cisco ISE node in the form of a CSV file. You can then import this CSV file into another Cisco ISE node so that the device definitions are available to the required Cisco ISE nodes.
Note |
You can export the network devices with IP ranges in all the octets. |
Procedure
Step 1 |
Choose . |
Step 2 |
Click Export. |
Step 3 |
Export the device definitions for the network devices added to the Cisco ISE node by performing one of the following actions.
|
Step 4 |
In both cases, a CSV file of device definitions downloads to your system. |
Troubleshoot Network Device Configuration Issues
Procedure
Step 1 |
Choose . |
Step 2 |
Enter the IP address of the network device that you want to evaluate in the Network Device IP field. |
Step 3 |
Check the check boxes and click the radio buttons next to the configuration options you want to compare against the recommended template. |
Step 4 |
Click Run. |
Step 5 |
In the Progress Details... area, click Click Here to Enter Credentials. |
Step 6 |
In the Credentials Window dialog box, enter the connection parameters and credentials that are required to establish a connection with the network devices. |
Step 7 |
Click Submit. |
Step 8 |
(Optional) To cancel the workflow, click Click Here to Cancel the Running Workflow in the Progress Details... window. |
Step 9 |
(Optional) Check the check boxes next to the interfaces that you want to analyze, and click Submit. |
Step 10 |
(Optional) Click Show Results Summary for details of the configuration evaluation. |
The Execute Network Device Command Diagnostic Tool
The Execute Network Device Command diagnostic tool allows you to run the show command on any network device.
The results that are displayed are the same as what you would see on a console. The tool enables you to identify problems, if any, in a device configuration.
Use this tool to validate the configuration of any network device, or if you are want to know how a network device is configured.
To access the Execute Network Device Command diagnostic tool, choose one of the following navigation paths:
-
Choose .Choose .
-
In the Execute Network Device Command window that is displayed, enter the IP address of the network device and the show command that you want to run in the corresponding fields.
-
Click Run.