device administration with tacacs+ using ise...

Device Administration with TACACS+ using ISE 2.X

Aaron T. Woland, CCIE #20113Principal Engineer, Security Business Group

BRKSEC-2344

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

You are in right place if your interest is…

Control and Visibility…

Of the Administration of the Devices that form the fabric of your network…

Using ISE with TACACS+.

Laughing and Enjoying a Session at Cisco Live

BRKSEC-2344 3


Principal EngineerSecurity Business Group

[email protected]@AaronWoland

http://www.networkworld.com/blog/secure-network-access/

Aaron Woland, CCIE# 20113

BRKSEC-2344 4

mailto:[email protected]

http://www.networkworld.com/blog/secure-network-access/


About Me

BRKSEC-2344 5

Live in North Carolina.

”the South”

Southerners Known for:

• Politeness

• Courtesy

• Manors

• BBQ

• Frying Everything!


About Me

But, I am from

New York

New Yorkers Known For:

• Speaking their Mind

• Being Blunt but Truthful

• Not known for our Manors

• Pizza & Bagels!!!!!!!New Yorker

BRKSEC-2344 6


About Me

I am a Father…

Of 4 Daughters!

So... Nothing Scares me anymore!

BRKSEC-2344 7


“If we can’t laugh at ourselves, Then we cannot laugh at anything at all”

Sarcasm

BRKSEC-2344 8


Disclaimer:

BRKSEC-2344 9


Please Fill Out The Survey!

BRKSEC-2344 10

• Introduction – Why and What is Device Administration AAA

• Device Administration AAA in ISE

• Design Principles

• Components (Policy Elements, Policy Sets)

• NAD Types

• AAA Models

• Configuring the NADs

• Configuring Device Administration in ISE

• IOS / WLC / Nexus

• Proof is in the Pudding

• Migrating from ACS to ISE

• Final Questions?

Agenda v2

• Introduction

• Device Administration AAA in ISE 2.x

• Network Devices

• Configuring ISE for Device Administration

• The Proof is in the Puddin’


• Final Conclusions

Agenda


Why Do Device Administration AAA?

• Centralized Control of Network Devices

• Ensure Network Devices remain correctly configured

• Who may do what actions to which devices, under which conditions

• Centralized Visibility of Those Actions

• Reliably record those actions• Who accessed a network device and commands did they execute?

• What configuration changes were made

• When did this all occur?

• Compliance: • SOX, HIPPA, PCI DSS

• Requires secure auditing and reporting of network configuration changes

BRKSEC-2344 13


• Authentication, Authorization and Accounting (AAA)

• Authentication: who the user is

• Authorization: what they are allowed to

• Accounting: recording what they have done

AAA: a Key Security Concept

BRKSEC-2344 14


I’d like 40K from John Chambers Account

Do You Have Identification?

Authentication vs. Authorization

BRKSEC-2344 15




Yes, I Do. Here It Is.


BRKSEC-2344 16





Sorry, Aaron Woland is not Authorized

for John Chambers’ Account


BRKSEC-2344 17








BRKSEC-2344 18








BRKSEC-2344 19








BRKSEC-2344 20


Two Main Types of AAANetwork Access AAA

Authentication Protocol

RADIUS

Common Authentication

Protocols

• PAP

• CHAP

• MS-CHAP

NAS / NAD

AAA Client

BRKSEC-2344 22


Device Administration

Terminal User AAA Client AAA Server

Telnet, SSH, Serial

BRKSEC-2344 23


• 2 Main Protocols Designed for AAA:

• Remote Access Dial-in User Service (RADIUS)

• Terminal Access Controller Access-Control System (TACACS)

AAA Protocols

See if we can make this page more exciting??

BRKSEC-2344 25


• IETF standard for AAA

• Most common AAA protocol for Network Access

• Why? Because IEEE 802.1X uses RADIUS

• 802.1X is used with vast majority of secure Wi-Fi• Note: CAN be used for Device Administration, but not as powerful as

TACACS+ for that form of AAA

Remote Access Dial-in User Service

BRKSEC-2344 26


A long time ago in a development lab far,

far away…

BRKSEC-2344 27


Terminal Access Controller Access-Control System

AAA standard protocol designed for controlling access to UNIX terminals

Cisco enhanced it and created TACACS+ and published as open standard in the early 1990s

Mainly used for Device Administration

Can authenticate once and authorize many times

Perfect for command authorizations

AuthZ results sent for each attempt, not just ONCE with AuthC

BRKSEC-2344 29


AuthC Once + AuthZ Many

SSH to Network Device

REPLY (authentication) – request username

CONTINUE (authentication) – username

REPLY (authentication) – request password

CONTINUE (authentication) – password

REPLY (authentication) – Pass

START (authentication) – User trying to connect

Authentication

is Complete

TACACS+

REQUEST (authorization) – service = shell

RESPONSE (authorization) – PASS_ADD

REQUEST (accounting) – START / RESPONSE - SUCCESS

REQUEST (authorization) – service = command

RESPONSE (authorization) – Pass_ADD

# show run

EXEC is

Authorized

REQUEST (accounting) – CONTINUE / RESPONSE - SUCCESS

Command is

Authorized

AuthC

Shell

AuthZ

Command

AuthZ

BRKSEC-2344 30

• Introduction

• Device Administration AAA in ISE 2.x

• Components (Policy Elements, Policy Sets)

• Design Principles

• Network Devices

• Configuring ISE for Device Administration

• The Proof is in the Puddin’


• Final Conclusions

Agenda

Device Administration AAA in ISE


TACACS+ is in ISE

34


So where do we begin?...

BRKSEC-2344 38


IntroducingThe ISE Device Administration Work Center

Order of Operations: Left to Right on the Menu Bar


Overview: T+ Live Log

BRKSEC-2344 40


Overview: Deployment (ISE 2.2+)

41


• Policy Service Node for Protocol Processing

• Session Services (e.g. Network Access/RADIUS) On by default

• Device Admin Service (e.g. TACACS+)

MUST BE ENABLED

FOR DEVICE ADMINISTRATION!!

ISE Deployment NodeConfiguration

OLD WAY

42BRKSEC-2344


Identities

Separate Enable

PasswordCan be defined if User is

to be allowed privileged

access after login

Internal Users

May Leverage AD

For Passwords

Random Secure

Passwords

Internal Users – External

Password Management

BRKSEC-2344 43


Identities

Internal Users

• Reality of Internal Identities:

• Allows ISE Admin to Control Group Membership

• Can Leverage External DB for Password Management• Provides a 2nd Level of Authentication if

• In my Experience, Not used too Often Anymore• Everyone just leverages their AD / LDAP single-source-of-truth

• Saves the double maintenance and duplication of effort

BRKSEC-2344 44


Identities

Same List of Sources

as Network AccessCan be defined if User is

to be allowed privileged

access after login

External IDsMore Commonly Used

BRKSEC-2344 45


Identities

External IDsMore Commonly Used

• Reality of External Identities:

• Way more common in today’s enterprise• Identity Source Sequences can be Used

• Active Directory Connector is VERY powerful• Can Query over 2,000 AD Domains

• Multi-Forest Support (up to 50 Join Points)

• See BRKSEC-2132 @ CiscoLive.com for more on Active Directory

• One Time Password (OTP) Servers• 2-factor Authentication for very Secure Environments

BRKSEC-2344 46


For More on Identities

• BRKSEC-2059 – Deploying ISE in a Dynamic Public Environment

• BRKSEC-3699 – Designing ISE for Scale & High Availability

• Online Recorded Sessions:

• BRKSEC-2132 – What’s new in ISE Active Directory Connector

• BRKSEC-2695 - Building Enterprise Access Control Architecture using ISE & TrustSec

BRKSEC-2344 47


NADs

Network Device

Groups (NDG)Build a Detailed Hierarchy

to make Policy Sets and

Rule Creation More

Powerful

BRKSEC-2344 48


NADs

Network DevicesTACACS+ Shared Secret

Single Connect Mode

Retire the Secret

Retire SecretAccept Old and New Secret

for Configured Time Period

BRKSEC-2344 49


Results

TACACS ProfilesAKA: Shell Profiles

Different Types

Assigned Level

Policy ElementsAuthorization Results

BRKSEC-2344 52


Results

Command SetsLists of Commands to

Permit / Deny

Policy ElementsAuthorization Results

BRKSEC-2344 53


We Will Dive into These Elements more in the Config Section

BRKSEC-2344 54


Policy Sets

Policy Set

Ordered List

Provides both

Management

AND

Execution order

Condition For

Policy Set

How Policy Set

is engaged

Policy Set

BRKSEC-2344 55


Policy Sets

Policy Set

Summary View

Provides Overview of

Execution Conditions

BRKSEC-2344 56


ISE Authentication Processing

Policy Set Selection

Authentication Policy

Evaluation

Determine Authentication

protocols

Select Identity Store

Validate Credentials

Evaluate Enable

Authorization

Are you who you say you are?

BRKSEC-2344 57


Authentication in the Policy Set

Authentication

Policy Area

BRKSEC-2344 58


Policy Set Authentication Results

Allowed

Protocols

Identity

Source

BRKSEC-2344 59


ISE Authorization Processing

Policy Set Selection

Identity SelectionAuthorization

Policy Evaluation

Evaluation (Command Set

or Profile)

Reply

BRKSEC-2344 61


Device Administration Authorization in ISE

Authorization

Policy Area

BRKSEC-2344 62


Best Practices for Policy SetsOrganization

• Optimal Size Mix for Policy Set breakdown in ISE 2.0:

• 6-10 Policy Sets

• 60-100 rules

• Divide Complete Policy into robust Silos representing Use Cases

• e.g.• By Device Type

• By Region

BRKSEC-2344 63


Example Policy

Helpdesk SuperuserSuperuser Admin

US EMEA

Device\Identity US Helpdesk EMEA Helpdesk US Superuser EMEA Superuser

Device: US Helpdesk Superuser Helpdesk

Device:EMEA Helpdesk Helpdesk Superuser

BRKSEC-2344 64

Design PrinciplesSee BRKSEC-3699 – Designing ISE for Scale & High Availability


Deployment Considerations

• Should we dedicate an ISE Policy Service Node (PSN) to TACACS+?

• How many PSNs should we dedicate to TACACS+

• Should we dedicate a deployment to TACACS+?

• i.e. separate PAN + MnT

BRKSEC-2344 66


Options for Deploying Device Admin

Priorities

- According to policy

Separate Deployment Separate PSN Mode Mixed PSN Mode

Separation of

Configuration

Yes: Specialization for TACACS+ ✔

No: Avoid Duplication of Shared

Items

Avoid cost of duplicate PAN/PSN

✔ ✔

Separation of

Logging Store

Yes: Optimize Log Retention VM ✔

No: Centralized Monitoring ✔ ✔

Independent

Scaling of

Services

Yes: Scale as Needed

Avoid NAC/Device Admin Load✔ ✔

No: Avoid underutilized PSNs ✔

TACACS RADIUS RADIUS TACACS TACACSRADIUS/

BRKSEC-2344 67


Large Deployments: Separate Cubes

Terminal User

PSN

VIP1

Network

Device

PSN

VIP2

Network User

ISE Cube 1 ISE Cube 2

PAN

MNT MNT

PAN

68BRKSEC-2344


Medium Deployments: Separate Cubes

Terminal User Network User

PSN

VIP1

PSN

VIP2

Single ISE Cube

PAN MNT

Network

Device

69


Small Deployments: Separate Cubes

PSN

VIP1PSN

VIP2

Single ISE Cube

PAN MNT

Network

Device

70

Terminal User Network User

BRKSEC-2344


Why does Aaron Prefer Separate Cubes?

BRKSEC-2344 72


Logging Capacity

• In Large scale appliance (3595), 320GB allocated to TACACS+ logs

• Capacity requirements variable… Assuming:

• 4K log for Authentication/Session, 3K log for Command Author/Session

• Each admin has 40 Sessions/day, with 25 commands per session…

Admins\Disk Size 320 GB 1024 GB 2048 GB

20 1062 3398 6796

50 425 1360 2719

250 85 272 544

Example Calculation of Days Capacity

See BRKSEC-3699

BRKSEC-2344 73

The Network Devices


Network Devices do AAA Differently

• Cisco IOS – The Ultimate in Flexibility

• 16 Privilege Levels (0-15)• User Authorized to a level of privilege, can execute all commands at that level

• Authorization into the Shell

• Authorization per-command

• Cisco WLC – Nice and Easy

• Assigns a “role” to a User

• Role = Which Menus they get Write Access to.

• Cisco Nexus – Blended

• Users Authorized to a Role

• Role = List of Features and Commands Available to User

BRKSEC-2344 75

Cisco IOS


The AAA Method List

aaa type { default | list-name } method-1 [method-2 method-3 method-4 ]

Authentication, Authorization or Accounting

Will affect all things that use the aaa type if you don’t specify otherwise

Creates a Custom Method List: Name Should Mean Something to You

Methods in Order: [group radius | group tacacs | local-case | local | enable | none]

For Your Reference For Your Reference

77BRKSEC-2344


Configuring IOS for TACACS+ authentication

• Device configuration for TACACS+ is vendor/product specific

• Example for IOS

aaa new-model

tacacs server ISE-PRIMARY

address ipv4 10.56.122.51

key th3k3yu5ed

aaa group server tacacs+ ISE-GROUP

server name ISE-PRIMARY

aaa authentication login VTY group ISE-GROUP local

aaa authentication enable default group ISE-GROUP enable

line vty 0 4

login authentication VTY

Required for TACACS+ aaa

Authentication control

TACACS+ server definition

BRKSEC-2344 78


Configuring IOS for TACACS+ authorization


• Example for IOS

aaa authorization exec VTY group ise-group local

aaa authorization config-commands

aaa authorization commands 0 VTY group ISE-GROUP local



line vty 0 4

authorization exec VTY

authorization commands 0 VTY



Enable Session Authorization

Enable Command Authorization

BRKSEC-2344 79


Configuring IOS for TACACS+ accounting


• Example for IOS

aaa accounting exec default start-stop group ISE-GROUP

aaa accounting commands 1 default start-stop group ISE-GROUP

aaa accounting commands 15 default start-stop group ISE-GROUP

BRKSEC-2344 80

Cisco WLC


Configuring WLC for TACACS+ AAA

82BRKSEC-2344


Configuring WLC for TACACS+ AAA

T+ First

Fallback to

Local – if T+

non-responsive

BRKSEC-2344 83

Configuring ISE


The User Account & Group Types

Users Groups Description

NetAdmin1

NetAdmin2NetAdmin

Network Administrators – Get full Access to

Everything Possible

NetOps1

NetOps2NetOps

Network Operators – Access, but Limited to what

Changes can be Made

SecAdmin1

SecAdmin2SecAdmin

Security Administrators – Read-only to absolutely

everything, including configurations.

Helpdesk1

Helpdesk2Helpdesk

Helpdesk Personell – Read-only to all show

commands, not including show-run. No changes

permitted at all.

Employee1

Employee2Employees Any other Employee – No access to Shell or UI.

BRKSEC-2344 85

Cisco IOS Device Admin Results


TACACS Profile – NetAdmin (IOS)

IOS Privilege LevelDefault = Assigned at Login

Max = Limit with “enable”

command

Task TypeSpecific for the Device

Is a nice UI feature, to

provide specific UI per

device type

Idle TimeFor High-Powered Access,

Limit the session time when

no activity

BRKSEC-2344 87


TACACS Profile – NetOps (IOS)

IOS Privilege LevelDefault = Assigned at Login

Max = Limit with “enable”

command

Allows privilege escalation

when necessary

BRKSEC-2344 88


TACACS Profile – SecAdmin (IOS)

IOS Privilege LevelSecAdmin will be limited by

Command Set instead of

Privilege

Idle TimeFor High-Powered Access,

Limit the session time when

no activity

Timer (absolute time)Because you want to mess

with them.

BRKSEC-2344 89


TACACS Profile – Helpdesk (IOS)

IOS Privilege LevelWill get all Priv1

commands, and any

specially moved to Priv2

only.

BRKSEC-2344 90


Command Set – NetAdmin (IOS)

Permit all CommandsSince nothing below, all

commands will be

permitted.

BRKSEC-2344 91


Command Set – NetOps (IOS)

Permit all CommandsAnything not Listed Below

will be allowed

DENY_ALWAYSShutdown and Reload will

never be permitted, even

when stacking permissions.

If DENY instead of

DENY_ALWAYS, then

Permit wins in a Stack

BRKSEC-2344 92


Command Set – SecAdmin (IOS)

Permit all CommandsAnything besides configure

will be permitted

DENY_ALWAYSConfigure will never be

allowed for Security

Admins. All other

commands will work.

BRKSEC-2344 93


Command Set – Helpdesk (IOS)

Deny All CommandsExcept what is below

PERMITAllow all show commands

for the privilege level.

BRKSEC-2344 94

Cisco WLC Device Admin Results


TACACS Profiles for the WLC

• No command sets for WLC. It is role based, with its Menus.

BRKSEC-2344 96


TACACS Profile – NetAdmin (WLC)

All MenusFull Access to the WLC

BRKSEC-2344 97


TACACS Profile – SecAdmin (WLC)

WLAN & SecurityRead/Write to WLAN

Read/Write to Security

Read-Only to everything else

BRKSEC-2344 98


TACACS Profile – Helpdesk (WLC)

MonitorRead-Only to Entire UI

BRKSEC-2344 99


TACACS Profile – Employees (WLC)

LobbySpecial role that does not give

access to WLC UI. Only to a

Guest Management UI

BRKSEC-2344 100

Proof is in the Puddin’


Login to an IOS Device

Username:secadmin1

Password:

3750-X# show privilege

Current privilege level is 15

3750-X# show run

Building configuration...

<SNIP>

3750-X#config t

Command authorization failed.

Username:netops1

Password:

3750-X# show priv

Current privilege level is 7

3750-X# conf t

^

% Invalid input detected at '^' marker.

3750-X# show run

Building configuration...

Current configuration : 3191 bytes

3750-X#show run | i priv

privilege configure all level 6 interface

privilege configure level 6 authentication

privilege exec level 7 show running-config

This is how:

BRKSEC-2344 104


Device Admin Live Log

Exec AuthZ

Authentication

Command

AuthZ

BRKSEC-2344 105


TACACS+ Command Accounting

• ISE Accounting Report records all commands

• Purpose is to audit and fault find device configuration

• Comprehensive and flexible searching for commands: who, what, when, where

BRKSEC-2344 106


TACACS+ AAA Authentication Reporting

• ISE Authentication Reporting records all passed and failed authentication attempts

• Purpose is to audit and fault find device – ISE interactions

BRKSEC-2344 107


Login to a WLC Device

BRKSEC-2344 109

Backup Slides: Device Admin

Migration from ACS


Comparing ISE to ACS 5

• Core TACACS+ Protocol engine is shared with ACS 5

• However: ISE is not ACS…

• Different management system (RBAC, GUI etc)

• Different policy system and GUI

• Different internal identity store

• “Parity” can be subtle…

BRKSEC-2344 128


Example Parity Issue: ACS 4 vs 5 custom AttributesACS 4: ACS 5:

BRKSEC-2344 129


Example Parity Issue: ACS 4 vs 5 custom AttributesACS 4: ACS 5:

BRKSEC-2344 130


Using the Migration tool

Migrate to Correct version of ACS

•ACS 5.5 or ACS 5.6

•Back up ISE

Download the tool from ISE

•Link Provided in Device Administration work center

Enable migration interface in ACS/ISE

•ACS: acs config-web-interface migration enable

• ISE: application configure ise / option 11

If you are migrating to ISE with configuration: Backup ISE

•Save Certificates (Export including Private Keys)

•Back up ISE Configuration

•Back up System Logs

•Obtain AD credentials to rejoin if needed.

BRKSEC-2344 132


Using the Migration tool

Run Export

Report

Issues Found: Update ACS

Run Export

Run Import

Report

Issues Found: Update ACS

Run Import

BRKSEC-2344 133


ACS 5 to ISE Migration: Identity

• Internal Users Issues

• Parity Gap• Password Type

• Password Change Next Login + Lifetime

• Naming Constraints: More illegal chars in ISE

• External Identity Stores

• Migrate cleanly (As always, check names)

BRKSEC-2344 134


ACS 5 to ISE Migration: Network Devices/NDGs

• Network Device migration caveats for ISE 2.0:

• IP Ranges not supported in ISE• Exclusions supported by “overlapping IPs”

• IPV4 only

• Default Device must have RADIUS enabled

• Reconciliation flow for Migration Tool

• If Device does not exist in ISE (Defined by no overlap of IP configuration)• Then add it

• If Device does exist (IP/subnet exactly matches) and (name exactly matches)• Then update details to add TACACS+ elements

• If only approximate match. (name matches exactly, or IP/subnet matches exactly, but not both)• Then generate error report

BRKSEC-2344 135


ACS 5 to ISE Migration: Authorization Results

• Command Sets and Shell Profiles migrate well

• Main gotcha: object names

• ISE stricter about names

• Policy Results namespace shared with Network Access • Recommend using a prefix for Device admin Authorization Results

BRKSEC-2344 136


ACS 5 to ISE Migration: Policy

• ACS 5 Access Service Maps to ISE Policy Set

• ACS 5 Access Service separated from Selection Policy• Can have Services that are not engaged

• Can have services selected by different Service Selection rules

• ACS 5 Group Map

• Group Map intended as transition step from ACS 4

• Group Map content must be migrated to authorization Policy

• Authentication Allowed Protocols

• Part of Service configuration in ACS 5

• Policy Result in ISE

BRKSEC-2344 137


ACS 5 to ISE Migration: TACACS+ Proxy• ACS 5 Proxy Service maps to ISE Policy Set in Proxy Sequence Mode:

BRKSEC-2344 138


Migration Best Practices

• Follow recommendations from Migration tool Reports

• Rename ACS objects using ISE legal chars

• Move Group Map Policy to Authorization

• Consider ACS 5 to ISE migration as opportunity to review and refresh Policy

• Especially if Migrating from ACS 4

BRKSEC-2344 139

ACS to ISE 2.2 feature comparison


ACS vs ISE feature comparison -RADIUS

BRKSEC-2344 141

RADIUS ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2

PAP Yes Yes Yes Yes Yes

CHAP Yes Yes Yes Yes Yes

MS-CHAPv1 and v2 Yes Yes Yes Yes Yes

EAP-MD5 Yes Yes Yes Yes Yes

EAP-TLS Yes Yes Yes Yes Yes

PEAP (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes

PEAP (with EAP-GTC inner method) Yes Yes Yes Yes Yes

PEAP (with EAP-TLS inner method) Yes Yes Yes Yes Yes

EAP-FAST (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes

EAP-FAST (with EAP-GTC inner method) Yes Yes Yes Yes Yes

EAP-FAST (with EAP-TLS inner method) Yes Yes Yes Yes Yes

EAP Chaining with EAP-FAST No No Yes Yes Yes

RADIUS Proxy Yes Yes Yes Yes Yes

RADIUS VSAs Yes Yes Yes Yes Yes

LEAP Yes Yes Yes Yes Yes


ACS vs ISE feature comparison – TACACS+

BRKSEC-2344 142

TACACS+ ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2

TACACS+ per-command authorization and accounting Yes Yes Yes Yes Yes

TACACS+ support in IPv6 networks No Yes No No No

TACACS+ change password Yes Yes Yes Yes Yes

TACACS+ enable handling Yes Yes Yes Yes Yes

TACACS+ custom services Yes Yes Yes Yes Yes

TACACS+ proxy Yes Yes Yes Yes Yes

TACACS+ optional attributes Yes Yes Yes Yes Yes

TACACS+ additional auth types (CHAP / MSCHAP) Yes Yes Yes Yes Yes

TACACS+ attribute substitution for Shell profiles Yes Yes Yes Yes Yes

TACACS+ customizable port Yes Yes No Yes Yes


ACS vs ISE feature comparison –Internal users and Admins

BRKSEC-2344 143

Internal Users / Administrators ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2

Users: Password complexity Yes Yes Yes Yes Yes

Users: Password aging

1. Warning and disable after defined interval. Grace period is not supported

Yes Yes1

Yes1

Yes1

Yes1

Users: Password history Yes Yes Yes Yes Yes

Users: Max failed attempts Yes Yes Yes Yes Yes

Users: Disable user after n day of inactivity Yes Yes No Yes Yes

Admin: Password complexity Yes Yes Yes Yes Yes

Admin: Password aging Yes Yes Yes Yes Yes

Admin: Password history Yes Yes Yes Yes Yes

Admin: Max failed attempts Yes Yes Yes Yes Yes

Admin: Password inactivity Yes Yes No Yes Yes

Admin: entitlement report Yes Yes Yes Yes Yes

Admin: session and access restrictions Yes Yes Yes Yes Yes


ACS to ISE feature comparison –MAR, Conditions, Logs, Network Devices

BRKSEC-2344 144

Machine Access Restriction, Conditions,

Logs, Network devices ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2

Machine Access Restrictions

Machine Access Restrictions caching and Distribution

1. ISE 2.0 supports only MAR cache. ISE 2.1 supports MAR cache between restarts but

not distribution

Yes Yes Yes 1 Yes 1

Yes 1

Conditions/Filters

Network Access Restrictions (NARs) Yes Yes No No Yes

Time based permissions Yes Yes Yes Yes Yes

Log Management

Log Viewing and reports Yes Yes Yes Yes Yes

Export logs via SYSLOG Yes Yes Yes Yes Yes

Network Devices

Configure network devices with IP address ranges

1. When migrating from ACS to ISE, the Migration Tool automatically converts IP ranges in

the last octet of the IP.

Yes Yes No No Partially 1

Lookup Network Device by IP address

1. Can search by IP address but this can’t be used in combination with other fields as

search criteria

Yes Yes Yes 1

Yes Yes


ACS to ISE feature comparison –Security management, Tools and utilities

BRKSEC-2344 145

PKI / Security Management, Tools and utilities ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2

PKI / Security management

Configurable management HTTPS certificate Yes Yes Yes Yes Yes

CRL: Multiple URL definition Yes No No No No

CRL: LDAP based definition Yes No Yes Yes Yes

Online Certificate Status Protocol (OCSP) Yes Yes Yes Yes Yes

Secure Syslogs No Yes Yes Yes Yes

EAP-TLS Certificate lookup in LDAP or AD Yes Yes Yes Yes Yes

Tools and Utilities

Programmatic Interface for network device CRUD operations Yes Yes Yes Yes Yes

Command line / scripting interface (CSUtil) Yes No No No No

API for users, groups and end-point CRUD operations Yes Yes Yes Yes Yes

Import and Export of Command Sets Yes Yes No No No

Users: User change password (UCP) utility Yes Yes No No No


ACS to ISE feature comparison - Miscellaneous

BRKSEC-2344 146

Miscellaneous ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2

Group Mapping

1. Workaround: Use authorization conditions in ISE authorization policyYes Yes No No

1No 1

RSA Token caching Yes Yes No No Yes

Adding hosts with Wildcards Yes Yes No No No

Alarm notification on a per-item level N/A Yes No No No

Configurable RADIUS ports Yes No No Yes Yes

Allow Special characters in object name

1. Migration tool converts automatically any special character unsupported by ISE to "_"Yes Yes No No Partially 1

Multiple NIC interfaces N/A Yes Yes Yes Yes

Maximum concurrent sessions per user/group

1. For internal usersYes Yes No No Yes 1

Dial-in Attribute Support Yes Yes No No Yes

RBAC for ISE Admin to allow administrators' rights to access/modify only subset(s) of a

class of objectsYes No No Yes Yes


Non-Supported features

BRKSEC-2344 147

Features that will have no ISE support ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2

Leap Proxy Yes No No No No

Ability to select logging attributes for syslog messages Yes No No No No

Logging to external DB (via ODBC)

1. Data can be exported from M&T for reporting. Not supported as log

target that can be defined as critical logger

Yes Yes 1 No No No


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKSEC-2344 148

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKSEC-2344 149

Thank You

device administration with tacacs+ using ise...

Documents