| Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also include certificate authentication profiles that you need for certificate-based authentications.
Configure external authentication to a central AAA identity source.
For accounts that you define in the external identity, you must create a password policy for the external administrator account stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy. In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.
To configure external authentication, you must:
- Configure password-based authentication using an external identity store.
- Create an external administrator group.
- Configure menu access and data access permissions for the external administrator group.
- Create an RBAC policy for external administrator authentication. |