Introduction

Adding network access devices (NADs) to Identity Services Engine (ISE) involves configuring the devices, such as switches or wireless access points, so they can communicate with ISE for authentication, authorization, and accounting (AAA) services. This process includes defining each NAD’s IP address, shared secret for secure communication, and configuring the appropriate protocols (like RADIUS or TACACS+) for authentication.

Creating Network Device Groups

The first thing I like to do before adding the Network Access Devices (NADs) is to create a logical grouping for them, such as their location, device type, etc. These groupings can later be used in your network access policies. Think of it as a logical tag you can put on a NAD or a group of NADs and you can invoke policies based on that tag later.

Navigate to Administration>Network Resources>Network Device Groups. 

By default, there are Network Device Groups for All Device Types, All Locations, and Is IPSEC Device.

Click Add to create a Network Device Group.

Create the following groups: Switches, Firewalls, and Wireless Controllers under the parent group of All Device Types.

Create the following groups: San Jose and New York with the parent group of All Locations.

Create a new root group named Mode.

Create two new groups under that new parent named Monitor and Enforce.

When you are finished configuring, the Network Device Groups should look like the screenshot below.

Adding Network Access Devices

Navigate to Administration>Network Resources>Network Devices.

Click Add.

Give the device a logical name. I recommend matching the name you use when documenting your devices. In the screenshot below, I used Sw01.

For the IP address, use the IP address from which the RADIUS packets will be sourced on the device. This may be an SVI, a loopback, or the management interface for some switches.

Scroll down to the Network Device Groups section and select which groups this NAD should be a part of.

Check the box next to RADIUS Authentication Settings.

Fill in the shared secret. This should be the same secret you will configure on the NAD.

If the NAD does not support IOS Device Sensor or requires SNMP for profiling, check the box next to SNMP Settings.

Under these settings, you would configure the following:

  • SNMP Version – 1, 2c, 3
  • SNMP RO Community
  • SNMP Username (Version 3 only)
  • Security Level (Version 3 only)
  • Auth Protocol (Version 3 only)
  • Auth Password (Version 3 only)
  • Privacy Protocol (Version 3 only)
  • Privacy Password (Version 3 only)
  • Polling Interval – Default is 28,800 seconds
  • Link Trap Query and MAC Trap Query – Default is enabled
  • Originating Policy Services Node – Set to Auto

Click Submit.

Importing NADs in bulk

If you have hundreds of devices, manually adding each NAD through the GUI might be tedious, so there is a way to do it in bulk. You can do so by clicking the Import button on the Network Devices page.

Click on the Generate a Template link to download a CSV template. You can fill it in with all your NADs’ information and import them simultaneously.