topic Re: ISE authentication policy in Network Access Control

ISE authentication policy

umeshunited — Wed, 03 Jul 2019 19:26:36 GMT

Hi,

I have five different locations for one of the client.

Each location is having 2 to 3 network device.

I want to give local site administrator the privilege to change their local device config only.

Also, one superadmin should be able to change the config on all site devices.

Is it possible to do it under one policy in Device admin policy set?

Re: ISE authentication policy

Mike.Cifelli — Wed, 03 Jul 2019 19:47:52 GMT

Yes you could accomplish this in one device admin policy. Focus on your authz conditions. Quick example of how you could accomplish your requirement:
AD: External Groups Equals LOCATION1
AND
DEVICE-Device Type Equals LOCATION1 devices
Then push Shell profile containing read only

Good luck & HTH!

Re: ISE authentication policy

Mohammed al Baqari — Thu, 04 Jul 2019 05:07:51 GMT

Absolutely possible. Your devices should be in separate NDGs. Then create a
policy to match the NDG with AD group (if they are AD users) and assign
authorization rules. I am assuming that you have them in separate AD group
or you can use any other form of separation between the users (username for
example).

**** remember to rate useful posts

Re: ISE authentication policy

umeshunited — Tue, 16 Jul 2019 23:03:30 GMT

I configured a Device type which contained the main group for that Client.

Also configured device groups for different sites. e.g. 5 groups for 5 sites.

Then I configured a policy in policy sets so that it will match All devices for that client.

After that, I configured authorization policy and in the condition, I used logical AND of site_1 and internal user.

This did the trick for me.