Authentication and Policy Servers

Version:

Location in GUI: System » Settings » External Services » Authentication and Policy Servers

Diagram

Classes

system_settings (catalyst_center)

Name	Type	Constraint	Mandatory	Default Value
authentication_and_policy_servers	Class	`[authentication_and_policy_servers]`	No

authentication_and_policy_servers (catalyst_center.system_settings)

Name	Type	Constraint	Mandatory	Default Value
ise	Class	`[ise]`	No
aaa	List	`[aaa]`	No

ise (catalyst_center.system_settings.authentication_and_policy_servers)

Name	Type	Constraint	Mandatory
ip_address	IP		Yes
shared_secret	String		Yes
username	String		Yes
password	String		Yes
fqdn	String		Yes
pxgrid_enabled	Boolean	`true`, `false`	No
use_catc_cert_for_pxgrid	Boolean	`true`, `false`	No
retries	Integer	min: `1`, max: `3`	Yes
timeout	Integer	min: `2`, max: `20`	Yes
protocols	Class	`[protocols]`	No

aaa (catalyst_center.system_settings.authentication_and_policy_servers)

Name	Type	Constraint	Mandatory
ip_address	IP		Yes
shared_secret	String		Yes
retries	Integer	min: `1`, max: `3`	Yes
timeout	Integer	min: `2`, max: `20`	Yes
protocols	Class	`[protocols]`	Yes

protocols (catalyst_center.system_settings.authentication_and_policy_servers.ise)

Name	Type	Constraint	Mandatory	Default Value
tacacs	Class	`[tacacs]`	No
radius	Class	`[radius]`	No

tacacs (catalyst_center.system_settings.authentication_and_policy_servers.ise.protocols)

Name	Type	Constraint	Mandatory	Default Value
port	Integer	min: `1`, max: `65535`	No

radius (catalyst_center.system_settings.authentication_and_policy_servers.ise.protocols)

Name	Type	Constraint	Mandatory
authentication_port	Integer	min: `1`, max: `65535`	No
accounting_port	Integer	min: `1`, max: `65535`	No
enable_key_wrap	Class	`[enable_key_wrap]`	No

enable_key_wrap (catalyst_center.system_settings.authentication_and_policy_servers.ise.protocols.radius)

Name	Type	Constraint	Mandatory	Default Value
encryption_key	String		No
message_key	String		No

Examples

Example 1: Basic ISE server configuration with RADIUS protocol, including pxGrid integration for security context sharing and standard authentication settings:

catalyst_center:
  system_settings:
    authentication_and_policy_servers:
      ise:
        ip_address: 198.18.133.27
        shared_secret: "Shared12345"
        username: "admin"
        password: "RandomPass12345"
        fqdn: ise.example.net
        pxgrid_enabled: true
        use_catc_cert_for_pxgrid: false
        retries: 3
        timeout: 4
        protocols:
          radius:
            authentication_port: 1812
            accounting_port: 1813

Example 2: ISE server with TACACS and RADIUS key wrap encryption for enhanced security, demonstrating the use of encryption and message keys to protect shared secrets in transit:

catalyst_center:
  system_settings:
    authentication_and_policy_servers:
      ise:
        ip_address: 198.18.133.27
        shared_secret: "Shared12345"
        username: "admin"
        password: "RandomPass12345"
        fqdn: ise.example.net
        pxgrid_enabled: true
        use_catc_cert_for_pxgrid: false
        retries: 3
        timeout: 4
        protocols:
          tacacs:
            port: 49
          radius:
            authentication_port: 1812
            accounting_port: 1813
            enable_key_wrap:
              encryption_key: "qweqweqweqweqwe1"
              message_key: "dsdsd123454545454545"

Example 3: Comprehensive deployment with ISE as primary policy server and multiple AAA servers for redundancy, demonstrating enterprise-grade authentication infrastructure with pxGrid integration, key wrap encryption, and geographically distributed AAA servers for resilience:

catalyst_center:
  system_settings:
    authentication_and_policy_servers:
      ise:
        ip_address: 198.18.133.27
        shared_secret: "Shared12345"
        username: "admin"
        password: "RandomPass12345"
        fqdn: ise.example.net
        pxgrid_enabled: true
        use_catc_cert_for_pxgrid: false
        retries: 3
        timeout: 4
        protocols:
          tacacs:
            port: 49
          radius:
            authentication_port: 1812
            accounting_port: 1813
            enable_key_wrap:
              encryption_key: "qweqweqweqweqwe1"
              message_key: "dsdsd123454545454545"
      aaa:
        - ip_address: 198.18.133.111
          shared_secret: "Shared12345"
          retries: 3
          timeout: 5
          protocols:
            tacacs:
              port: 49
            radius:
              authentication_port: 1812
              accounting_port: 1813
        - ip_address: 198.18.133.112
          shared_secret: "Shared12345"
          retries: 3
          timeout: 5
          protocols:
            tacacs:
              port: 49
            radius:
              authentication_port: 1812
              accounting_port: 1813
        - ip_address: 198.18.133.113
          shared_secret: "Shared12345"
          retries: 2
          timeout: 5
          protocols:
            tacacs:
              port: 49
            radius:
              authentication_port: 1812
              accounting_port: 1813
              enable_key_wrap:
                encryption_key: "qweqweqweqweasd1"
                message_key: "dsdsd123454545454567"