CISCO ISE Secure Access

Define Network Devices in Cisco ISE

A network device, such as a switch or a router, is an authentication, authorization, and accounting (AAA)
client that sends AAA service requests to Cisco ISE. Defining network devices in Cisco ISE enables interactions
between Cisco ISE and network devices.
Configure network devices for RADIUS or TACACS AAA, and Simple Network Management Protocol
(SNMP) for the Profiling service to collect Cisco Discovery Protocol and Link Layer Discovery Protocol
(LLDP) attributes for profiling endpoints, and TrustSec attributes for Cisco TrustSec devices. A network
device that is not defined in Cisco ISE cannot receive AAA services from Cisco ISE.
From the Cisco ISE main menu, choose Administration > Network Resources > Network Devices, and
click Add. In the New Network Device window that is displayed, enter the following details to define a
network device:
• Select the vendor profile that fits the network device. The profile includes predefined configurations
for the device, such as settings for URL redirect and change of authorization.
• Configure the RADIUS protocol for RADIUS authentications. When Cisco ISE receives a RADIUS
request from a network device, it looks for the corresponding device definition to retrieve the
configured shared secret. If Cisco ISE finds the device definition, it obtains the configured shared
secret on the device and matches it against the shared secret in the request to authenticate access. If the
shared secrets match, the RADIUS server processes the request further based on the policy and
configuration. If the shared secrets do not match, a reject response is sent to the network device. A
failed authentication report is generated, which provides the failure reason.
• Configure the TACACS+ protocol for TACACS+ authentications. When Cisco ISE receives a
TACACS+ request from a network device, it looks for the corresponding device definition to retrieve
the shared secret that is configured. If it finds the device definition, it obtains the shared secret that is
configured on the device and matches it against the shared secret in the request to authenticate access.
If the shared secrets match, the TACACS+ server processes the request further based on the policy and
configuration. If they do not match, a reject response is sent to the network device. A failed
authentication report is generated, which provides the failure reason.
• You can configure the Simple Network Management Protocol (SNMP) in the network device
definition for the Profiling service to communicate with the network devices and profile endpoints that
are connected to the network devices.
• You must define Cisco TrustSec-enabled devices in Cisco ISE to process requests from TrustSec-
enabled devices that can be part of the Cisco TrustSec solution. Any switch that supports the Cisco
TrustSec solution is a Cisco TrustSec-enabled device.
 Cisco TrustSec devices do not use IP addresses. Instead, you must define other settings so that Cisco
TrustSec devices can communicate with Cisco ISE.
Cisco TrustSec-enabled devices use the TrustSec attributes to communicate with Cisco ISE. Cisco
TrustSec-enabled devices, such as the Cisco Nexus 7000 Series Switches, Cisco Catalyst 6000 Series
Switches, Cisco Catalyst 4000 Series Switches, and Cisco Catalyst 3000 Series Switches are authenticated
using the Cisco TrustSec attributes that you define while adding Cisco TrustSec devices.

Define a Default Network Device in Cisco ISE

Cisco ISE supports the default device definition for RADIUS and TACACS authentications. You can
define a default network device that Cisco ISE can use if it does not find a device definition for a particular
IP address. This feature enables you to define a default RADIUS or TACACS shared secret and the level
of access for newly provisioned devices.

Cisco ISE looks for the corresponding device definition to retrieve the shared secret that is configured in the
network device definition when it receives a RADIUS or TACACS request from a network device.
Cisco ISE performs the following procedure when a RADIUS or TACACS request is received:
1. Looks for a specific IP address that matches the one in the request.
2. Looks up the ranges to see if the IP address in the request falls within the range that is specified.
3. If both step 1 and 2 fail, it uses the default device definition (if defined) to process the request.

Cisco ISE obtains the shared secret that is configured in the device definition for that device and matches it
against the shared secret in the RADIUS or TACACS request to authenticate access. If no device definitions
are found, Cisco ISE obtains the shared secret from the default network device definition and processes the
RADIUS or TACACS request.

Network Devices
The windows described in the following sections enable you to add and manage network devices in Cisco
ISE.

Network Device Definition Settings

The following tables describe the fields in the Network Devices window, which you can use to configure a
network access device in Cisco ISE. To view this window, click the Menu icon ( ) and choose
Administration > Network Resources > Network Devices, and click Add.
Network Device Settings
The following table describes the fields in the New Network Devices window.

Field Name Description

Name Enter a name for the network device.
You can provide a descriptive name to the network device, which is different from the hostname of the
device. The device name is a logical identifier.
Note
If needed, the name of a device can be changed after it is configured.
Description Enter a description for the device.
IP Address or IP Choose one of the following from the drop-down list and enter the required values in the fields displayed:
Range
• IP Address: Enter a single IP address (IPv4 or IPv6 address) and a subnet mask.
• IP Range: Enter the required IPv4 address range. To exclude IP addresses during authentication, enter
an IP address or IP address range in the Exclude field.

The following are the guidelines for defining the IP addresses and subnet masks, or IP address ranges:
• You can define a specific IP address, or an IP range with a subnet mask. If device A has an IP address
range defined, you can configure another device, B, with an individual address from the range that is
defined in device A.
• You can define IP address ranges in all the octets. You can use a hyphen (-) or an asterisk (*) as
wildcard to specify a range of IP addresses. For example, *.*.*.*, 1-10.1-10.1-10.1-10, or 10-11.*.5.10-
15.
• You can exclude a subset of IP address range from the configured range in a scenario where that
subset has already been added, for example, 10.197.65.*/10.197.65.1, or 10.197.65.* exclude
10.197.65.1.
• You can configure up to 40 IP addresses or IP ranges for each network device.
• You cannot define two devices with the same specific IP addresses.
• You cannot define two devices with the same IP range. The IP ranges must not overlap either
partially or completely.
• When you exclude IP addresses, do not use overlapping IP ranges. Instead, exclude separate IP ranges.
Device Profile Choose the vendor of the network device from the drop-down list.
Use the tooltip next to the drop-down list to see the flows and services that the selected vendor's network
devices support. The tooltip also displays the RADIUS Change of Authorization (CoA) port and type of
URL redirect that is used by the device. These attributes are defined in the device type's network device
profile.
Model Name Choose the device model from the drop-down list.
Use the model name as one of the parameters while checking for conditions in rule-based policies.
This attribute is present in the device dictionary.
Software Version Choose the version of the software running on the network device from the drop-down list.
You can use the software version as one of the parameters while checking for conditions in rule-based
policies. This attribute is present in the device dictionary.
Network Device In the Network Device Group area, choose the required values from the Location, IPsec, and Device
Group Type drop-down lists.
If you do not specifically assign a device to a group, it becomes a part of the default device groups (root
network device groups), which is All Locations by location and All Device Types by device type.
RADIUS Authentication Settings
The following table describes the fields in the RADIUS Authentication Settings area.

Field Name Usage Guidelines

RADIUS UDP Settings
Protocol Displays RADIUS as the selected protocol.
Shared Secret Enter the shared secret for the network device.
The shared secret is the key that is configured on the network device using the
radius-host command with the pac option.
Note
The length of the shared secret must be equal to or greater than the value configured in the
Minimum RADIUS Shared Secret Length field in the Device Security Settings window
(Administration > Network Resources > Network Devices > Device Security Settings).
For a RADIUS server, the best practice is to have 22 characters. For new installations and
upgraded deployments, the shared secret length is four characters by default. You can change this
value in the Device Security Settings window.
Use Second Shared Secret Specify a second shared secret to be used by the network device and Cisco ISE.
Note
Although Cisco TrustSec devices can take advantage of the dual shared secrets (keys), Cisco
TrustSec CoA packets sent by Cisco ISE will always use the first shared secret (key). To enable
the use of the second shared secret, choose the Cisco ISE node from which the Cisco TrustSec
CoA packets must be sent to the Cisco TrustSec device. Configure the Cisco ISE node to be
used for this task in the Send From drop-down list in the Work Centers > Device
Administration > Network Resources > Network Devices > Add > Advanced TrustSec
Settings window. You can select a primary administration node (PAN) or a policy service node
(PSN). If the chosen PSN node is down, the PAN sends the Cisco TrustSec CoA packets to the
Cisco TrustSec device.
Note
The Second Shared Secret feature for RADIUS Access Request works only for packets containing
the Message-Authenticator field.
CoA Port Specify the port to be used for RADIUS CoA.
The default CoA port for the device is defined in the network device profile that is configured for
a network device (Administration > Network Resources > Network Device Profiles > Network
Resources > Network Device Profiles). Click Set To Default to use the default CoA port.
Note
If you modify the CoA port specified in the Network Devices window (Administration >
Network Resources > Network Devices) under RADIUS Authentication Settings, make sure
that you specify the same CoA port for the corresponding profile in the Network Device Profile
window (Administration > Network Resources > Network Device Profiles).
RADIUS DTLS Settings
DTLS Required If you check the DTLS Required check box, Cisco ISE processes only the DTLS requests from
this device. If this option is disabled, Cisco ISE processes both UDP and DTLS requests from
this device.
RADIUS DTLS provides improved security for Secure Sockets Layer (SSL) tunnel establishment
and RADIUS communication.
Shared Secret Displays the shared secret that is used for RADIUS DTLS. This value is fixed and used to
compute the Message Digest 5 (MD5) integrity checks.
CoA Port Specify the port to be used for RADIUS DTLS CoA.
 Issuer CA of ISE Choose the Certificate Authority to be used for RADIUS DTLS CoA from the drop-
Certificates for CoA down list.
DNS Name Enter the DNS name of the network device. If the Enable RADIUS/DTLS Client Identity
Verification option is enabled in the RADIUS Settings window (Adminstration > System >
Settings > Protocols > RADIUS, Cisco ISE compares this DNS name with the DNS name
that is specified in the client certificate to verify the identity of the network device.
General Settings
Enable KeyWrap Check the Enable KeyWrap check box only if KeyWrap algorithms are supported by the
network device. The network device must be compatible with AES KeyWrap RFC (RFC
3394).
This option is used to increase the RADIUS security through an AES KeyWrap algorithm.
Key Encryption Key Enter the encryption key that is used for session encryption (secrecy).
Message Authenticator Enter the key that is used for keyed Hashed Message Authentication Code (HMAC)
Code Key calculation over RADIUS messages.
Key Input Format Click one of the following radio buttons:
• ASCII: The value that is entered in the Key Encryption Key field must be 16
characters (bytes) in length, and the value that is entered in the Message
Authenticator Code Key field must be 20 characters (bytes) in length.
• Hexadecimal: The value that is entered in the Key Encryption Key field must be 32
characters (bytes) in length, and the value that is entered in the Message Authenticator
Code Key field must be 40 characters (bytes) in length.
You can specify the key input format that you want to use to enter the Key Encryption Key and
Message Authenticator Code Key so that it matches the configuration on the network device.
The value that you specify must be the correct (full) length for the key, and shorter values are
not permitted.

TACACS Authentication Settings

Field Name Usage Guidelines

Shared Secret A string of text that is assigned to a network device when TACACS+ protocol is enabled. The user
must enter the text before the network device authenticates a username and password. The connection is
rejected until the user supplies the shared secret.
Retired Shared Displayed when the retirement period is active.
Secret is Active
Retire Retires an existing shared secret instead of ending it. When you click Retire, a dialog box is displayed.
You can click either Yes or No.
Remaining Retired (Available only if you click Yes in the Retire dialog box) Displays the default value that is specified
Period in Work Centers > Device Administration > Settings > Connection Settings > Default Shared
Secret Retirement Period. You can change the default value, as necessary.
The old shared secret remains active for the specified number of days.
End (Available only if you click Yes in the Retire dialog box) Ends the retirement period and terminates
the old shared secret.
Enable Single Check the Enable Single Connect Mode check box to use a single TCP connection for all TACACS
Connect Mode communications with the network device. Click one of the following radio buttons:
• Legacy Cisco Devices
• TACACS Draft Compliance Single Connect Support
Note
If you disable Single Connect Mode, Cisco ISE uses a new TCP connection for every TACACS
request.
SNMP Settings
The following table describes the fields in the SNMP Settings section.

Field Name Usage Guidelines

SNMP Version Choose one of the following options from the SNMP Version drop-down list:
• 1: SNMPv1 does not support informs.
• 2c
• 3: SNMPv3 is the most secure model because it allows packet encryption when you choose Priv
in the Security Level field.
Note
If you have configured your network device with SNMPv3 parameters, you cannot generate the
Network Device Session Status summary report that is provided by the monitoring service
(Operations > Reports > Diagnostics > Network Device Session Status). You can generate
this report successfully if your network device is configured with SNMPv1 or SNMPv2c
parameters.
SNMP RO (Applicable only for SNMP versions 1 and 2c) Enter the Read Only Community string that provides
Community Cisco ISE with a particular type of access to the device.
Note
The caret (circumflex ^) symbol is not allowed.
SNMP Username (Only for SNMP Version 3) Enter the SNMP username.
Security Level (Only for SNMP Version 3) Choose one the following options from the Security Level
drop-down list:
• Auth: Enables MD5 or Secure Hash Algorithm (SHA) packet authentication.
• No Auth: No authentication and no privacy security level.
• Priv: Enables Data Encryption Standard (DES) packet encryption.
Auth Protocol (Only for SNMP Version 3 when the security levels Auth or Priv are selected) Choose the
authentication protocol that you want the network device to use from the Auth Protocol drop-down
list.
• MD5
• SHA
Auth Password (Only for SNMP Version 3 when the Auth or Priv security levels are selected) Enter the
authentication key. It must be at least eight characters in length.
Click Show to display the authentication password that is already configured for the device.
Note
The caret (circumflex ^) symbol cannot be used.
Privacy Protocol (Only for SNMP Version 3 when Priv security level is selected) Choose one of the following options
from the Privacy Protocol drop-down list:
• DES
• AES128
• AES192
• AES256
• 3DES
 Privacy Password (Only for SNMP Version 3 when Priv security level is selected) Enter the privacy key. Click Show to
display the privacy password that is already configured for the device.
Note
The caret (circumflex ^) symbol cannot be used.
Polling Interval Enter the polling interval, in seconds. The default value is 3600.
Link Trap Query Check the Link Trap Query check box to receive and interpret linkup and linkdown notifications that
are received through the SNMP trap.
Mac Trap Query Check the Link Trap Query check box to receive and interpret MAC notifications received through
the SNMP trap.
Originating Policy Choose the Cisco ISE server to be used to poll for SNMP data, from the Originating Policy Services
Services Node Node drop-down list. The default value for this field is Auto. Overwrite the setting by choosing a
specific value from the drop-down list.

Advanced TrustSec Settings

The following table describes the fields in the Advanced TrustSec Settings section.

Field Name Usage Guidelines

Device Authentication Settings

Use Device ID for Check the Use Device ID for TrustSec Identification check box if you want the device name to be
TrustSec listed as the device identifier in the Device ID field.
Identification
Device ID You can use this field only if you have not checked the Use Device ID for TrustSec Identification
check box.
Password Enter the password that you have configured in the Cisco TrustSec device's CLI to authenticate the
Cisco TrustSec device.
Click Show to display the password.
HTTP REST API Settings
Enable HTTP Check the Enable HTTP REST API check box to use the HTTP REST API to provide the required
REST API Cisco TrustSec information to the network devices. This enhances the efficiency and ability to
download large configurations in a short time as compared to the RADIUS protocol. It also
improves reliability by using TCP over UDP.
Username Enter the username that you have configured in the Cisco TrustSec device's CLI to authenticate the
Cisco TrustSec device. The username cannot contain special characters such as space ! % ^ : ; , [ { | }
]`"=<>?
Password Enter the password that you have configured in the Cisco TrustSec device's CLI to authenticate the
Cisco TrustSec device.
TrustSec Device Notification and Updates
Device ID You can use this field only if you have not checked the Use Device ID for TrustSec Identification
check box.
Password Enter the password that you have configured in the Cisco TrustSec device's CLI to authenticate the
Cisco TrustSec device.
Click Show to display the password.
Download Specify the time interval at which the device must download its environment data from Cisco ISE, by
Environment Data choosing the required values from the drop-down lists in this area. You can choose the time interval
Every <...> in seconds, minutes, hours, days, or weeks. The default value is one day.
Download Peer Specify the time interval at which the device must download the peer authorization policy from
Authorization Policy Cisco ISE by choosing the required values from the drop-down lists in this area. You can specify
Every <...> the time interval in seconds, minutes, hours, days, or weeks. The default value is one day.
Reauthentication EverySpecify the time interval at which the device reauthenticates itself against Cisco ISE after the
<...> initial authentication, by choosing the required values from the drop-down lists in this area. You
can configure the time interval in seconds, minutes, hours, days, or weeks. For example, if you enter
1000 seconds, the device authenticates itself against Cisco ISE every 1000 seconds. The default
value is one day.
Download SGACL Lists Specify the time interval at which the device downloads SGACL lists from Cisco ISE, by choosing
Every <...> the required values from the drop-down lists in this area. You can configure the time interval in
seconds, minutes, hours, days, or weeks. The default value is one day.
Other TrustSec Check the Other TrustSec Devices to Trust This Device check box to allow all the peer devices
Devices to Trust This to trust this Cisco TrustSec device. If this check box is not checked, the peer devices do not trust
Device (TrustSec this device, and all the packets that arrive from this device are colored or tagged accordingly.
Trusted)
Send Configuration Check the Send Configuration Changes to Device check box if you want Cisco ISE to send
Changes to Device Cisco TrustSec configuration changes to the Cisco TrustSec device using CoA or CLI (SSH).
Click the CoA or CLI (SSH) radio button, as required.
Click the CoA radio button if you want Cisco ISE to send the configuration changes to the Cisco
TrustSec device using CoA.
Click the CLI (SSH) radio button if you want Cisco ISE to send the configuration changes to the
Cisco TrustSec device using the CLI (using the SSH connection).
Send From From the drop-down list, choose the Cisco ISE node from which the configuration changes must
be sent to the Cisco TrustSec device. You can select a PAN or a PSN. If the PSN that you choose
is down, the configuration changes are sent to the Cisco TrustSec device using the PAN.
Test Connection You can use this option to test the connectivity between the Cisco TrustSec device and the selected
Cisco ISE node (PAN or PSN).
SSH Key To use this feature, open an SSHv2 tunnel from Cisco ISE to the network device, and use the
device's CLI to retrieve the SSH key. You must copy this key and paste it in the SSH Key field
for validation.
Device Configuration Deployment
Include this device when Check the Include this device when deploying Security Group Tag Mapping Updates
deploying Security check box if you want the Cisco TrustSec device to obtain the IP-SGT mappings using the
Group Tag Mapping device interface credentials.
Updates
EXEC Mode Enter the username that you use to log in to the Cisco TrustSec device.
Username
EXEC Mode Enter the device password.
Password
Click Show to view the password.
Note
We recommend that you avoid using the % character in passwords, including in the EXEC
modes and Enable mode passwords to avoid security vulnerabilities.
Enable Mode (Optional) Enter the enable password that is used to edit the configuration of the Cisco TrustSec
Password device in privileged EXEC mode.
Click Show to view the password.
Out Of Band TrustSec PAC
Issue Date Displays the issuing date of the last Cisco TrustSec PAC that was generated by Cisco ISE for the
Cisco TrustSec device.
 Expiration Date Displays the expiration date of the last Cisco TrustSec PAC that was generated by Cisco ISE for the
Cisco TrustSec device.
Issued By Displays the name of the issuer (a Cisco TrustSec administrator) of the last Cisco TrustSec PAC that
was generated by Cisco ISE for the Cisco TrustSec device.
Generate PAC Click the Generate PAC button to generate the out-of-band Cisco TrustSec PAC for the Cisco
TrustSec device.

Default Network Device Definition Settings

The following table describes the fields in the Default Network Device window, with which you configure a default network
device that Cisco ISE can use for RADIUS or TACACS+ authentication. Choose one of the following navigation paths:
• Administration > Network Resources > Network Devices > Default Device
• Work Centers > Device Administration > Network Resources > Default Devices

Field Name Usage Guidelines

Default Network Choose Enable from the Default Network Device Status drop-down list to enable the default
Device Status network device definition.
Note
If the default device is enabled, you must enable either the RADIUS or the TACACS+
authentication settings by checking the relevant check box in the window.
Device Profile Displays Cisco as the default device vendor.
RADIUS Authentication Settings
Enable RADIUS Check the Enable RADIUS check box to enable RADIUS authentication for the device.
RADIUS UDP Settings
Shared Secret Enter a shared secret. The shared secret can be up to 127 characters in length.
The shared secret is the key that you have configured on the network device using the
radius-host command with the pac keyword.
Note
The length of the shared secret must be equal to or greater than the value configured in the
Minimum RADIUS Shared Secret Length field in the Device Security Settings window
(Administration > Network Resources > Network Devices > Device Security Settings). By
default, this value is four characters for new installations and upgraded deployments. For the
RADIUS server, the best practice is to have 22 characters.

RADIUS DTLS Settings

DTLS Required If you check the DTLS Required check box, Cisco ISE processes only the DTLS requests from
this device. If this option is disabled, Cisco ISE processes both UDP and DTLS requests from
this device.
RADIUS DTLS provides improved security for SSL tunnel establishment and RADIUS
communication.
Shared Secret Displays the shared secret that is used for RADIUS DTLS. This value is fixed and is used to
compute the MD5 integrity checks.
Issuer CA of ISE Choose the certificate authority to be used for RADIUS DTLS CoA from the Issuer CA of ISE
Certificates for CoA Certificates for CoA drop-down list.
General Settings
Enable KeyWrap (Optional) Check the Enable KeyWrap check box only if KeyWrap algorithms are supported on
the network device, which increases RADIUS security through an AES KeyWrap algorithm.
Key Encryption Key Enter an encryption key to be used for session encryption (secrecy) when you enable KeyWrap.
Message Enter the key that is used for keyed Hashed Message Authentication Code (HMAC) calculation
Authenticator Code over RADIUS messages when you enable KeyWrap.
Key

Key Input Format Choose one of the following formats by clicking the corresponding radio button, and enter
values in the Key Encryption Key and Message Authenticator Code Key fields:
• ASCII: The Key Encryption Key must be 16 characters (bytes) in length, and the
Message Authenticator Code Key must be 20 characters (bytes) in length.
• Hexadecimal: The Key Encryption Key must be 32 bytes in length, and the
Message Authenticator Code Key must be 40 bytes in length.

Specify the key input format that you want to use to enter the Key Encryption Key and
Message Authenticator Code Key so that it matches the configuration on the network device.
The value that you specify must be the correct (full) length for the key. Shorter values are not
permitted.

TACACS Authentication Settings

Shared Secret Enter a string of text to assign to a network device when the TACACS+ protocol is enabled.
Note that a user must enter the text before the network device authenticates a username and
password. The connection is rejected until the user supplies the shared secret.

Retired Shared Secret Displayed when the retirement period is active.

is Active

Retire Retires an existing shared secret instead of ending it. When you click Retire, a dialog box is
displayed. Click Yes or No.

Remaining Retired Period (Optional) Available only if you click Yes in the Retire dialog box. Displays the default value that
is specified in the Work Centers > Device Administration > Settings > Connection
Settings > Default Shared Secret Retirement Period window. You can change the default
values.
This allows a new shared secret to be entered. The old shared secret remains active for the
specified number of days.

End (Optional) Available only if you select Yes in the Remaining Retired Period dialog box. Ends
the retirement period and terminates the old shared secret.

Enable Single Connect Check the Enable Single Connect Mode check box to use a single TCP connection for all
Mode TACACS+ communication with the network device. Click one of the following the radio
buttons:
• Legacy Cisco Devices
• TACACS Draft Compliance Single Connect Support.

Note
If you disable this field, Cisco ISE uses a new TCP connection for every TACACS+ request.
Network Device Import Settings
The following table describes the fields in the Import Network Devices window, which you can use to import network
device details into Cisco ISE. To view this window, click the Menu icon ( ) and choose Administration > Network
Resources > Network Devices. In the Network Devices window, click Import.

Field Name Usage Guidelines

Generate a Click Generate a Template to create a comma-separated value (CSV) template file.
Template
Update the template with network devices information in the CSV format and save it locally.
Then, use the edited template to import network devices into any Cisco ISE deployment.

File Click Choose File to choose the CSV file that you have recently created, or previously exported
from a Cisco ISE deployment.
You can import network devices into another Cisco ISE deployment with new and updated
network devices information, by using the Import option.

Overwrite Existing Data Check the Overwrite Existing Data with New Data check box to replace the existing network
with New Data devices with the devices in your import file.
If you do not check this check box, new network device definitions that are available in the
import file are added to the network device repository. Duplicate entries are ignored.

Stop Import on First Error Check the Stop Import on First Error check box if you want Cisco ISE to discontinue import
when it encounters an error during import. Cisco ISE imports network devices until the time of
an error.
If this check box is not checked and an error is encountered, the error is reported and Cisco
ISE continues to import the remaining devices.

Import Network Devices into Cisco ISE

To enable Cisco ISE to communicate with network devices, you must add device definitions of the network
devices in Cisco ISE. Import device definitions of network devices into Cisco ISE through the Network
Devices window (From the main menu, choose Administration > Network Resources > Network Devices).
Import a list of device definitions into a Cisco ISE node using a comma-separated value (CSV) file. A
CSV template file is available when you click Import in the Network Devices window. Download this
file, enter the required device definitions, and then upload the edited file through the Import window.
You cannot execute multiple imports of the same resource type at the same time. For example, you cannot
concurrently import network devices from two different import files.
When you import a CSV file of device definitions, you can either create new records or update existing
records by clicking the Overwrite Existing Data with New Data option.
Import templates may vary in each Cisco ISE. Do not import CSV files of network devices that have
exported from a different Cisco ISE release. Enter the details of the network devices in the CSV template
file for your release, and import this file into Cisco ISE .
The Execute Network Device Command Diagnostic Tool
The Execute Network Device Command diagnostic tool allows you to run the show command on any network device.
The results that are displayed are the same as what you would see on a console. The tool enables you to identify problems,
if any, in a device configuration.
Use this tool to validate the configuration of any network device, or if you are want to know how a network device is
configured.
To access the Execute Network Device Command diagnostic tool, choose one of the following navigation paths:
1. In the Cisco ISE GUI, click the Menu icon ( ) and choose Operations > Troubleshoot > Diagnostic
Tools > Execute Network Device Command.In the Cisco ISE GUI, click the Menu icon ( ) and choose
Work Centers > Profiler > Troubleshoot > Execute Network Device Command.
2. In the Execute Network Device Command window that is displayed, enter the IP address of the network
device and the show command that you want to run in the corresponding fields.
3. Click Run.

Third-Party Network Device Support in Cisco ISE

Cisco ISE supports third-party network access devices (NADs) by using network device profiles. A NAD profile
defines the capabilities of a third-party device with a simplified policy configuration, regardless of the vendor-side
implementation. A network device profile contains the following:
• The protocols that the network device supports, such as RADIUS, TACACS+, and Cisco TrustSec. You
can import into Cisco ISE any vendor-specific RADIUS dictionaries that exist for the network device.
• The attributes and values that the device uses for various authentication flows such as Wired MAB and
802.1X. These attributes and values allow Cisco ISE to detect the right authentication flow for your
device according to the attributes that the network device uses.
• The Change of Authorization (CoA) capabilities of the network device. While the RADIUS protocol
RFC 5176 defines a CoA request, the attributes used in a CoA request vary depending on the network
device. Most non-Cisco devices with RFC 5176 support the Push and Disconnect functions. For devices
that do not support the RADIUS CoA type, Cisco ISE also supports SNMP CoA.
• The attributes and protocols that the network device uses for MAB flows. Network devices from different
vendors perform MAB authentication differently.
• The VLAN and ACL permissions that are used by the device. When you save the profile, Cisco ISE
automatically generates authorization profiles for each configured permission.
• URL redirection technique information. URL redirection is necessary for advanced flows such as Bring
Your Own Device (BYOD), guest access, and posture services. Two types of URL redirections are found
on a network device—static and dynamic. For static URL redirection, you can copy and paste the Cisco
ISE portal URL into the configuration. For dynamic URL redirection, Cisco ISE uses a RADIUS attribute
to tell the network device where to redirect to.
If the network device does not support both dynamic and static URL redirects, Cisco ISE provides an Auth VLAN
configuration by which URL redirect is simulated. The Auth VLAN configuration is based on DHCP and DNS services
running in Cisco ISE.

After you have defined your network devices in Cisco ISE, configure these device profiles or use the preconfigured
device profiles that are offered by Cisco ISE to define the capabilities that Cisco ISE uses to enable basic
authentication flows, and advanced flows such as Profiler, Guest, BYOD, MAB, and Posture.
URL Redirect Mechanism and Auth VLAN

When a third-party device is used in the network and the device does not support dynamic or static URL
redirect, Cisco ISE simulates the URL redirect flow. The URL redirect simulation flow for such devices is
operated by running a DHCP or DNS service on Cisco ISE.
The following is an example of an Auth VLAN flow:
1. A guest endpoint connects to the NAD.
2. The network device sends the RADIUS or MAB request to Cisco ISE.
3. Cisco ISE runs the configured authentication and authorization policy and stores the user accounting
information.
4. Cisco ISE sends the RADIUS access accept message that contains the Auth VLAN ID.
5. The guest endpoint receives network access.
6. The endpoint broadcasts a DHCP request, and obtains a client IP address and the Cisco ISE DNS sink
hole IP address from the Cisco ISE DHCP service.
7. The guest endpoint opens a browser that sends a DNS query and receives the Cisco ISE IP address.
8. The endpoint HTTP and HTTPS requests are directed to Cisco ISE.
9. Cisco ISE responds with an HTTP 301 Moved message with a guest portal URL. The endpoint browser
redirects to the guest portal window.
10. The guest endpoint user logs in for authentication.
11. Cisco ISE validates endpoint compliance and then responds to the NAD. Cisco ISE sends the CoA,
authorizes the endpoint, and bypasses the sink hole.
12. The guest user receives the appropriate access based on the CoA, and the endpoint receives an IP
address from an enterprise DHCP. The guest user can now use the network.

You can separate the Auth VLAN from the corporate network to prevent unauthorized network access by a
guest endpoint before the endpoint passes authentication. Configure the Auth VLAN IP helper to point to the
Cisco ISE machine, or connect one of the Cisco ISE network interfaces to the Auth VLAN.
Multiple VLANs may be connected to one network interface card by configuring a VLAN IP helper from
the NAD configuration. For more information about configuring an IP helper, see the administration
guide for the network device for instructions. For guest access flows that include VLANs with IP helpers,
define a guest portal, and select that portal in an authorization profile that is bound to MAB authorization.
The following diagram displays a basic network setup when an Auth VLAN is defined (the Auth VLAN is
connected directly to a Cisco ISE node).
The following diagram displays a network with Auth VLAN and an IP helper.
CoA Types
Cisco ISE supports both RADIUS and SNMP CoA types. RADIUS or SNMP CoA type support is required for the NAD to
work in complex flows, while it is not mandatory for basic flows.
Define the RADIUS and SNMP settings that the network device supports when you configure the NAD in Cisco ISE. Indicate the
CoA type to be used for a specific flow when configuring the NAD profile. Check with your third-party supplier to verify which
CoA type your NAD supports before creating the device profile and NAD profile in Cisco ISE.

Network Device Profiles

Cisco ISE supports some third-party NADs by using network device profiles. These profiles define the capabilities that Cisco ISE
uses to enable basic flows, and advanced flows such as Guest, BYOD, MAB, and Posture.
Cisco ISE includes predefined profiles for network devices from several vendors. Cisco ISE 2.1 and later releases have been tested
with the network devices listed in the following table.

Device Vendor CoA Type URL Supported or Validated Use Cases

Type Redirect
802.1X and Profiler Profiler with Posture Guest and
Type
MAB Flows without CoA CoA BYOD
Flows
Wireless Aruba 7000, RADIUS Static URL Yes Yes Yes Yes Yes
InstantAP
Motorola RADIUS Dynamic Yes Yes Yes Yes Yes
RFS 4000 URL
HP 830 RADIUS Static URL Yes Yes Yes Yes Yes
Ruckus ZD RADIUS — Yes Yes Yes Yes Yes
1200

Wired HP A5500 RADIUS Auth VLAN Yes Yes Yes Yes Yes
provided by
ISE
HP 3800 and RADIUS Auth VLAN Yes Yes Yes Yes Yes
2920 provided by
(ProCurve) ISE

Alcatel 6850 SNMP Dynamic Yes Yes Yes Yes Yes

URL

Brocade ICX RADIUS Auth VLAN Yes Yes Yes Yes Yes
6610 provided by
ISE

Juniper RADIUS Auth VLAN Yes Yes Yes Yes Yes

EX3300-24p provided by
ISE

For other third-party NADs, you must identify the device Yes Yes Requires Requires CoA support.
properties and capabilities, and create custom NAD CoA support
If a wired device does
profiles in Cisco ISE.
not support URL redirect,
Cisco ISE uses Auth
VLAN. Wireless devices
have not been tested
with Auth VLAN.
You must create custom NAD profiles for other third-party network devices that do not have a predefined profile. For
advanced workflows such as Guest, BYOD, and Posture, the network device must support the RADIUS protocol RFC
5176, which pertains to CoA support for these flows. See the device's administration guide for information on the
attributes that are required to create network device profiles in Cisco ISE.

Import Network Device Profiles into Cisco ISE

Import a single or multiple network device profiles into Cisco ISE using a single XML file with the Cisco ISE
XML structure. You cannot concurrently import network device profiles from multiple import files.
Typically, you must first export an existing profile from the Cisco ISE administrator portal to use as a template. Enter
your device profile details in the file, and save it as an XML file. Then, import the edited file back into Cisco ISE.
To work with multiple network device profiles, export multiple profiles that are structured together as a single XML
file, edit the file, and then import the profiles together to create multiple profiles in Cisco ISE.
When you import network device profiles, you can only create new records. You cannot overwrite an existing profile.
To update an existing network device profile, export the existing profile from Cisco ISE, delete the profile from Cisco
ISE, and then import the profile after you edit it accordingly.

Manage Network Device Groups

The following windows enable you to configure and manage network device groups.

Network Device Group Settings

The following table describes the fields in the Network Device Groups window that you use to create network device
groups. To view this window, click the Menu icon ( ) and choose Administration > Network Resources >
Network Device Groups > All Groups.
You can also create network device groups in the Work Centers > Device Administration > Network Resources >
Network Device Groups > All Groups window.

Field Name Usage Guidelines

Name Enter a name for the root network device group. For all subsequent child network
device groups added to this root network device group, enter the name of this newly
created network device group.
You can have a maximum of six nodes in a network device group hierarchy, including
the root node. Each network device group name can have a maximum of 32 characters.

Description Enter a description for the root or the child network device group.

No. of Network Devices The number of network devices in the network group is displayed in this column.
 Network Device Group Import Settings
The following table describes the fields in the Import dialog box in the Network Device Group window. To view this window,
click the Menu icon ( ) and choose Administration > Network Resources > Network Device Groups.

Field Name Usage Guidelines

Generate a Click this link to download a CSV template file.

Template
Update the template with network device group information in the same format. Save the
template locally to import the network device groups into any Cisco ISE deployment.
File Click Choose File and navigate to the location of the CSV file that you want to upload. The
file may be new or a file that was exported from another Cisco ISE deployment.
You can import network device groups from one Cisco ISE deployment to another, with new
and updated network device groups information.
Overwrite Existing Data Check this check box if you want to replace the existing network device groups with the
with New Data device groups in your import file.
If you do not check this check box, only the new network device groups in the import file are
added to the network device group repository. Duplicate entries are ignored.
Stop Import on First Check this check box to discontinue import at the first instance of encountering an error
Error during the import.
If this check box is not checked and an error is encountered, Cisco ISE reports the error and
continues importing the rest of the device groups.

Network Device Groups

Cisco ISE allows you to create hierarchical network device groups. Use network device groups to
logically group network devices based on various criteria, such as geographic location, device type, or its
relative place in the network (such as Access Layer or Data Center).
To view the Network Device Groups window, click the Menu icon ( ) and choose Administration > Network
Resources > Network Device Groups.
For example, to organize your network devices based on geographic location, group them by continent,
region, or country:
• Africa > Southern > Namibia
• Africa > Southern > South Africa
• Africa > Southern > Botswana

Group the network devices based on the device type:

• Africa > Southern > Botswana > Firewalls
• Africa > Southern > Botswana > Routers
• Africa > Southern > Botswana > Switches
Assign network devices to one or more hierarchical network device groups. When Cisco ISE processes the ordered
list of configured network device groups to determine the appropriate group to assign to a particular device, it may
find that the same device profile applies to multiple device groups. In this case, Cisco ISE applies the first device
group that is matched.
There is no limit on the maximum number of network device groups that you can create. You can create up to six
levels of hierarchy (including the parent group) for the network device groups.
The device group hierarchy is displayed in two views, Tree Table and Flat Table. Click Tree Table or Flat Table
above the list of network device groups to organize the list into the corresponding view.
In the Tree Table view, the root node appears at the top of the tree followed by the child groups in hierarchical order.
Click Expand All to view all the device groups in each root group. Click Collapse All to view a list of only the
root groups.
In the Flat Table view, the hierarchy of each device group is displayed in the Group Hierarchy column.
In both views, the number of network devices that are assigned to each child group is displayed in the
corresponding No. of Network Devices column. Click the number to launch a dialog box that lists all the network
devices that are assigned to that device group. The dialog box that is displayed also contains two buttons to move
network devices from one group to another. Click Move Devices to Another Group to move network devices from
the current group to another. Click Add Devices to Group to move a network device into the chosen network
device group.
To add a network device group in the Network Device Groups window, click Add. In the Parent Group drop-
down list, choose the parent group to which the network device group must be added, or choose the Add As Root
Group option to add the new network device group as the parent group.

Root Network Device Groups

Cisco ISE includes two predefined root network device groups, All Device Types and All Locations. You cannot
edit, duplicate, or delete these predefined network device groups, but you can add new device groups under them.
You can create a root Network Device Group (network device group), and then create child network device groups
under the root group in the Network Device Groups window, as described earlier.

Network Device Attributes Used by Cisco ISE in Policy Evaluation

When you create a new network device group, a new network device attribute is added to the Device dictionary in System
Dictionaries (Policy > Policy Elements > Dictionaries). The added device attributes are then used in policy
definitions.
Cisco ISE allows you to configure authentication and authorization policies using Device dictionary attributes such as the
device type, location, model name, or software version that is running on the network device.

Import Network Device Groups into Cisco ISE

You can import network device groups into a Cisco ISE node using a comma-separated value (CSV) file. Not that you
cannot concurrently import network device groups from two different import files.
Download a CSV template from the Cisco ISE administrator portal. Enter your network device group details in the
template, save the template as a CSV file, and then import the edited file into Cisco ISE.
When importing device groups, you can create new records or update existing records. When you import device
groups, you can also define whether you want Cisco ISE to overwrite the existing device groups with the new groups or
stop the import process when Cisco ISE encounters the first error.
Manage Network Device Groups
The following windows enable you to configure and manage network device groups.

Network Device Group Settings

The following table describes the fields in the Network Device Groups window that you use to create network device groups. To
view this window, click the Menu icon ( ) and choose Administration > Network Resources > Network Device Groups >
All Groups.
You can also create network device groups in the Work Centers > Device Administration > Network Resources > Network
Device Groups > All Groups window.

Field Name Usage Guidelines

Name Enter a name for the root network device group. For all subsequent child network device groups
added to this root network device group, enter the name of this newly created network device
group.
You can have a maximum of six nodes in a network device group hierarchy, including the root
node. Each network device group name can have a maximum of 32 characters.
Description Enter a description for the root or the child network device group.
No. of Network Devices The number of network devices in the network group is displayed in this column.

Network Device Group Import Settings

The following table describes the fields in the Import dialog box in the Network Device Group window. To view this window,
click the Menu icon ( ) and choose Administration > Network Resources > Network Device Groups.

Field Name Usage Guidelines

Generate a Click this link to download a CSV template file.

Template
Update the template with network device group information in the same format. Save the
template locally to import the network device groups into any Cisco ISE deployment.

File Click Choose File and navigate to the location of the CSV file that you want to upload. The file
may be new or a file that was exported from another Cisco ISE deployment.
You can import network device groups from one Cisco ISE deployment to another, with new
and updated network device groups information.

Overwrite Existing Check this check box if you want to replace the existing network device groups with the device
Data with New Data groups in your import file.
If you do not check this check box, only the new network device groups in the import file are
added to the network device group repository. Duplicate entries are ignored.

Stop Import on First Check this check box to discontinue import at the first instance of encountering an error during
Error the import.
If this check box is not checked and an error is encountered, Cisco ISE reports the error and
continues importing the rest of the device groups.
Import Templates in Cisco ISE
Cisco ISE allows you to import a large number of network devices and network device groups using CSV files. The
template contains a header row that defines the format of the fields. You must not edit this header row except to add
columns mentioned in the table below.
Use the Generate a Template link in the relevant import flow for network devices and network device groups to
download a CSV file to your local system.

Network Devices Import Template Format

The following table lists and describes the fields in the header of the import network device CSV template file.

Field Usage Guidelines

Name:String(32) Enter a name for the network device. The name must be an alphanumeric string with a maximum of
32 characters.
Description:String(256) (Optional) Enter a description for the network device with a maximum of 256 characters.
IP Enter the IP address and subnet mask of the network device. You can enter more than one value
Address:Subnets(a.b.c. separated by a pipe (|) symbol.
d/m|...)
IPv4 and IPv6 addresses are supported for network device (TACACS and RADIUS) configurations
and for external RADIUS server configurations.
When you enter an IPv4 address, you can use ranges and subnet masks. Ranges are not supported
for IPv6.
Model Enter the network device's model name with a maximum of 32 characters.
Name:String(32)
Software Enter the network device's software version with a maximum of 32 characters.
Version:String(32)
Network Device Enter the names of existing network device groups. If it is a subgroup, it must include both the
Groups:String(100) parent and subgroup, separated by a space. The string must be a maximum of 100 characters, for
example, Location>All Location>US.
Authentication:Protoco Enter the authentication protocol that you want to use. The only valid value is
l:String(6) RADIUS (not case-sensitive).
Authentication:Shared (Required only if you enter a value in the Authentication:Protocol:String(6)
Secret:String(128) field) Enter a string with a maximum of 128 characters.
PasswordEncrypted:B No field value is required for this column.
oolean(true|false)
If you are importing network devices from Cisco ISE Release 3.3 Patch 1 or earlier releases, you
must add a new column with this header to the right of the Authentication:Shared
Secret:String(128) column, before import. If this column is not added, an error message is displayed,
and you will not be able to import the file.
Network devices with encrypted passwords will be rejected if valid key to decrypt the password is not
provided during import.
EnableKeyWrap:Boole This field is enabled only if KeyWrap is supported in the network device. Enter
an(true|false) true or false.
EncryptionKey:String( (Required if you enable KeyWrap) Enter the encryption key that is used for session encryption.
ascii:16|hexa:32)
ASCII values: 16 characters (bytes) long. Hexadecimal values: 32
characters (bytes) long.
AuthenticationKey:String(ascii:20 (Required if you enable KeyWrap.) Enter the keyed Hashed Message Authentication
|hexa:40) Code (HMAC) calculation over RADIUS messages.
ASCII values: 20 characters (bytes) long. Hexadecimal
values: 40 characters (bytes) long.
InputFormat:String(32) Enter the encryption and authentication keys input format. ASCII and hexadecimal values
are accepted.
SNMP:Version:Enumeration Enter the version of the SNMP protocol that the profiler service must use—1, 2c, or 3.
(|2c|3)
SNMP:RO Community:String(32) (Required if you enter a value in the SNMP:Version:Enumeration (|2c|3) field). Enter a
string for Read Only Community with a maximum of 32 characters
SNMP:RW (Required if you enter a value in the SNMP:Version:Enumeration (|2c|3) field). Enter a
Community:String(32) string for Read Write Community with a maximum of 32 characters.
SNMP:Username:String(32) Enter a string with a maximum of 32 characters.

(Required if you enter SNMP version 3 in the SNMP:Version:Enumeration (|2c|3)

field) Enter Auth, No Auth, or Priv.
SNMP:Authentication (Required if you have entered Auth or Priv for the SNMP security level.) Enter
Protocol:Enumeration(MD5|SHA) MD5 or SHA.
SNMP:Authentication (Required if you have entered Auth in the SNMP:Security
Password:String(32) Level:Enumeration(Auth|No Auth|Priv) field.) Enter a string with a maximum of 32
characters.
SNMP:Privacy (Required if you have entered Priv in the SNMP:Security
Protocol:Enumeration(DES|AES128|AES192| Level:Enumeration(Auth|No Auth|Priv) field.) Enter DES, AES128, AES192,
AES256|3DES) AES256, or 3DES.
SNMP:Privacy (Required if you have entered Priv in the SNMP:Security
Password:String(32) Level:Enumeration(Auth|No Auth|Priv) field.) Enter a string with a maximum of 32
characters.
SNMP:Polling Enter the SNMP polling interval, in seconds. A valid value is an integer from 600 to
Interval:Integer:600-86400 86400.
seconds
SNMP:Is Link Trap Enable or disable the SNMP link trap by entering true or false.
Query:Boolean(true|false)

SNMP:Is MAC Trap Enable or disable the SNMP MAC trap by entering true or false.
Query:Boolean(true|false)

SNMP:Originating Policy Indicate which Cisco ISE server must be used to poll for SNMP data. It is automatic by
Services Node:String(32) default, but you can overwrite the setting by assigning different values in this field.

Trustsec:Device Id:String(32) Enter a Cisco Trustsec device ID, which is a string with a maximum of 32 characters.

Trustsec:Device (Required if you have entered a Cisco TrustSec device ID.) Enter a Cisco TrustSec device
Password:String(256) password, which is a string with a maximum of 256 characters.

Trustsec:Environment Enter the Cisco TrustSec environment data download interval. A valid value is an
Data Download integer from 1 to 2147040000.
Interval:Integer:1-
2147040000 seconds
Field Usage Guidelines

Trustsec:Peer Authorization Policy Enter the Cisco TrustSec peer authorization policy download interval. A valid
Download Interval:Integer:1- value is an integer from 1 to 2147040000.
2147040000 seconds
Trustsec:Reauthentication Enter the Cisco TrustSec reauthentication interval. A valid value is an integer
Interval:Integer:1-2147040000 from 1 to 2147040000.
seconds
Trustsec:SGACL List Download Enter the Cisco TrustSec security group ACL list download interval. A valid
Interval:Integer:1-2147040000 value is an integer from 1 to 2147040000.
seconds
Trustsec:Is Other Trustsec Devices Indicate whether a Cisco TrustSec device is trusted by entering true or false.
Trusted:Boolean(true|false)

Trustsec:Notify this device about Notify Cisco TrustSec configuration changes to the Cisco TrustSec device by
Trustsec configuration entering ENABLE_ALL or DISABLE_ALL .
changes:String(ENABLE_ALL|DISABLE_
ALL)
Trustsec:Include this device when Indicate if the Cisco TrustSec device is included in security group tag by entering
deploying Security Group Tag Mapping true or false.
Updates:Boolean(true|false)

Deployment:Execution Enter the user name that has privileges to edit the network device configuration.
Mode It is a string with a maximum of 32 characters.
Username:String(32)
Deployment:Execution Enter the device password, which is a string with a maximum of 32 characters.
Mode
Password:String(32)
Deployment:Enable Mode Enter the password of the device that allows you to edit its configuration. It is a
Password:String(32) string with a maximum of 32 characters.

Trustsec:PAC issue date:Date Enter the issuing date of the last Cisco TrustSec PAC that was generated by Cisco
ISE for the Cisco TrustSec device.

Trustsec:PAC expiration date:Date Etner the expiration date of the last Cisco TrustSec PAC that was generated by
Cisco ISE for the Cisco TrustSec device.

Trustsec:PAC issued by:String Enter the name of the issuer (a Cisco TrustSec administrator) of the last Cisco
TrustSec PAC that was generated by Cisco ISE for the Cisco TrustSec device.
It must be a string value.
Network Device Groups Import Template Format
The following table lists the fields in the template header and provides a description of the fields in the Network Device Group
CSV file.

Field Description
Name:String(100): (Required) This field is the network device group name. It is a string with a maximum of 100
characters in length. The full name of an NDG can have a maximum of 100 characters in length. For
example, if you create a subgroup India under the parent groups Global > Asia, then the full name of
the NDG that you create would be Global#Asia#India. The full name cannot exceed 100 characters in
length. If the full name of the NDG exceeds 100 characters in length, the NDG creation fails.
Description:String(1024) This is an optional field. It is a string, with a maximum of 1024 characters in length.
Type:String(64): (Required) This field is the network device group type. It is a string, with a maximum of 64
characters in length.
Is (Required) This is a field that determines if the specific network device group is a root group. Valid
Root:Boolean(true|false): value is true or false.

IPsec Security to Secure Communication Between Cisco ISE

and NAD
IPsec is a set of protocols that provides security to IP. The RADIUS, and TACACS+ protocols use the MD5 hashing
algorithm. For greater security, Cisco ISE offers the IPsec feature. IPsec provides secure communication by authenticating
the sender, discovering any changes in data during transmission, and encrypting the data that is sent.
Cisco ISE supports IPsec in tunnel and transport modes. When you enable IPsec on a Cisco ISE interface and configure
the peers, an IPsec tunnel is created between Cisco ISE and the NAD to secure the communication.
You can define a pre-shared key or use X.509 certificates for IPsec authentication. IPsec can be enabled on Gigabit
Ethernet 1 through Gigabit Ethernet 5 interfaces. You can configure IPsec on only one Cisco ISE interface per PSN.