topic Re: Cisco ISE supported feature in Network Access Control

Cisco ISE supported feature

hanguye3 — Wed, 27 Jun 2018 07:25:49 GMT

Hi team,

I am supporting our End-user on the requested feature below:

- They deployed ISE at DC and DR, each site has 03 virtual instances (PAN + PSN + MnT).
- They have many branches.
- The question is: can ISE support each branch only to add/edit/delete the policies related to those device which belongs to this branch or add new devices?

For example, Branch A only can do AAA/COA policies with the devices or add new devices which belongs to Branch A and can not do with the devices belongs to Branch B.

It is something like separate multi-domains on ISE.

If support, kindly help to share us the detailed configuration.

If not, pls help to propose any workaround solutions.

Highly appreciate for any quick support. Thanks in advance.

Br,

hainm

Re: Cisco ISE supported feature

ognyan.totev — Wed, 27 Jun 2018 07:51:56 GMT

Yes it support it , you must add devices to ISE just in different location .

Devices in Branch A locate in Device group BRANCH A

Device in Branch B locate in branch B

Base on this locations you can create policy for them

Device type eq switch and device location in branch A

Than create authorization policy for them

This will instruct all devices try to connect switch from branch A will receive authorization policy for this location.

Re: Cisco ISE supported feature

hanguye3 — Wed, 27 Jun 2018 08:07:16 GMT

Hi bro,

Many thanks for your response. Correct me if i am wrong with some detailed steps below:

- using ISE to scan all the devices inside the HO and branches.

- Group all the scanned devices into separate groups

- create different locations: Branch A, Branch B....

- Bind device group to specific Branch Location.

- Create policy base on specific location.

One more question: can ISE support to create admin user for Branch A so that this admin only can add the devices belong to Branch A?

Thanks in advance.

Br,

hainm

Re: Cisco ISE supported feature

hanguye3 — Wed, 27 Jun 2018 08:10:37 GMT

Hi bro,

Many thanks for your response. Correct me if i am wrong with some detailed steps below:

- using ISE to scan all the devices inside the HO and branches.

- Group all the scanned devices into separate groups

- create different locations: Branch A, Branch B....

- Bind device group to specific Branch Location.

- Create policy base on specific location.

One more question: can ISE support to create admin user for Branch A so that this admin only can add the devices belong to Branch A?

Thanks in advance.

Best regards,

.:|:.:|:. Hai Nguyen

Systems Engineer | Cisco Systems Vietnam

Desk: +84 24 3974 6248 | Mobile: +84 904 373 746 | hanguye3@cisco.com<mailto:hanguye3@cisco.com>

Re: Cisco ISE supported feature

ognyan.totev — Wed, 27 Jun 2018 08:28:53 GMT

Hi again

I speak about network device not the endpoints

Add network devices in different location respective office

All endpoint associated to this network device you ca create policy based on location and device type like :

switch ,router,WLC and etc

For the question

Yes it is possible but i am not test this .And what kind of user for device administration like tacacs or something else

Re: Cisco ISE supported feature

hanguye3 — Wed, 27 Jun 2018 08:31:39 GMT

Hi bro,

so can ISE support to create admin user for Branch A so that this admin only can add the devices belong to Branch A?

Br,

hainm

Re: Cisco ISE supported feature

hslai — Fri, 29 Jun 2018 23:11:06 GMT

There is some support.

Please check out the workaround for CSCvb55884. TAC has an internal doc detailing how it is done.