https://community.cisco.com/t5/network-access-control/device-administration-radius-authz-profiles/m-p/3858273#M472899 <P>Hello everyone,</P><P>&nbsp;</P><P>we are planing to use ISE for device administration for a large scale sp-like customer. We are using free-radius and want to replace it with ISE.&nbsp;</P><P>&nbsp;</P><P>We have a complex environment, therefore our goal is to keep policies as simple as possible.</P><P>&nbsp;</P><P>There are about 10 different departments each with its own network admin team, which is divided in 5 different teams like security, switching, routing etc. Within these teams we will have privileges WRITE, READ and LIMITED. Additionally we have to differentiate in the authorisation profiles between several vendors.</P><P>&nbsp;</P><P>&nbsp;</P><P>I have to assign more then one authz result to a authz policy.&nbsp;</P><P>So the authz policy would be something like the attached screenshot.</P><P><IMG border="0" /></P><P><IMG border="0" /></P><P>&nbsp;</P><P>So my question/concern is about authz profile:</P><UL><LI>Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.</LI><LI>Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?</LI><LI>Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?</LI></UL><P>Thanks in advance for your input.</P><P>Cengiz<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled 4.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/36918iF1A9E5C4823B4D1F/image-size/large?v=v2&amp;px=999" role="button" title="Untitled 4.png" alt="Untitled 4.png" /></span></P> Fri, 17 May 2019 12:30:16 GMT Cengiz Savas 2019-05-17T12:30:16Z https://community.cisco.com/t5/network-access-control/device-administration-radius-authz-profiles/m-p/3858273#M472899 <P>Hello everyone,</P><P>&nbsp;</P><P>we are planing to use ISE for device administration for a large scale sp-like customer. We are using free-radius and want to replace it with ISE.&nbsp;</P><P>&nbsp;</P><P>We have a complex environment, therefore our goal is to keep policies as simple as possible.</P><P>&nbsp;</P><P>There are about 10 different departments each with its own network admin team, which is divided in 5 different teams like security, switching, routing etc. Within these teams we will have privileges WRITE, READ and LIMITED. Additionally we have to differentiate in the authorisation profiles between several vendors.</P><P>&nbsp;</P><P>&nbsp;</P><P>I have to assign more then one authz result to a authz policy.&nbsp;</P><P>So the authz policy would be something like the attached screenshot.</P><P><IMG border="0" /></P><P><IMG border="0" /></P><P>&nbsp;</P><P>So my question/concern is about authz profile:</P><UL><LI>Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.</LI><LI>Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?</LI><LI>Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?</LI></UL><P>Thanks in advance for your input.</P><P>Cengiz<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled 4.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/36918iF1A9E5C4823B4D1F/image-size/large?v=v2&amp;px=999" role="button" title="Untitled 4.png" alt="Untitled 4.png" /></span></P> Fri, 17 May 2019 12:30:16 GMT https://community.cisco.com/t5/network-access-control/device-administration-radius-authz-profiles/m-p/3858273#M472899 Cengiz Savas 2019-05-17T12:30:16Z https://community.cisco.com/t5/network-access-control/device-administration-radius-authz-profiles/m-p/3858476#M472904 <BLOCKQUOTE> <UL> <LI>Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.</LI> </UL> </BLOCKQUOTE> <P>This depends on the NADs -- whether NADs able to ignore the attributes they do not understand.</P> <P>&nbsp;</P> <BLOCKQUOTE> <UL> <LI>Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?</LI> <LI>Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?</LI> </UL> </BLOCKQUOTE> <P>If the RADIUS authorization profiles differing in the RADIUS vendor dictionaries used, then you may use NAD profiles and select the list of RADIUS vendor dictionaries available to a particular NAD profile. See <SPAN><A href="https://community.cisco.com/t5/security-documents/how-to-create-network-access-device-profiles-with-cisco-ise/ta-p/3631103" target="_blank">How To: Create Network Access Device Pr... - Cisco Community</A></SPAN></P> Fri, 17 May 2019 16:56:29 GMT https://community.cisco.com/t5/network-access-control/device-administration-radius-authz-profiles/m-p/3858476#M472904 hslai 2019-05-17T16:56:29Z