https://community.cisco.com/t5/network-access-control/ise-distributed-psns-associated-to-specific-rsa-servers/m-p/3518436#M510679 <HTML><HEAD></HEAD><BODY><P>Paul is correct that PSN node groups are not available as authentication policy conditions and they are more for ISE profiling replications.</P><P></P><P>If you meant network devices in the same network device groups use the same sets of PSNs, then you may use the network device grouping as the authentication policy conditions.</P></BODY></HTML> Wed, 25 Apr 2018 03:17:26 GMT hslai 2018-04-25T03:17:26Z https://community.cisco.com/t5/network-access-control/ise-distributed-psns-associated-to-specific-rsa-servers/m-p/3518434#M510675 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">Hey guys </SPAN></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">Quick question. </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">I have been reading about this but I would like to get confirmation as it gets quite confusing lol </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">Anyway, my client has an ISE distributed env based on Dedicated PAN, Mnt and PSNs</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">They will be using many RSA servers as external identity sources.</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">Because of the distribution of the PSNs group of network devices (NAD group)&nbsp;&nbsp; will be using specific PSNs and other group of NADs other&nbsp; PSNs.&nbsp; </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">Question:</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">—————</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">For specific groups of devices (NAD grouped per location for example) can they use a specific RSA server? As </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">PSN1—RSA1 primary </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |___RSA2 sec</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">PSN2—RSA2 primary </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |___RSA1 sec</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">This seems possible using rule based authentication policies in ISE. </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">However although it seems to be based on specific ISE&nbsp; attributes only part of the ISE dictionary&nbsp; </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">It seems we can group PSN together as a mode group.</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">So in this case I can def configure each NAD to point to specific “node group” then using rule based authentications asking these Node groups (based on device IP or device network group or location) to use a specific RSA servers.</P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"></P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">If you could chime in I would appreciate. </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;">Thank you </P><P style="color: #000000; font-family: -webkit-standard; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px;"><IMG alt="image1.jpeg" class="jive-image" src="https://community.cisco.com/" /></P></BODY></HTML> Tue, 17 Apr 2018 21:36:10 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-psns-associated-to-specific-rsa-servers/m-p/3518434#M510675 Samuel Vuillaume 2018-04-17T21:36:10Z https://community.cisco.com/t5/network-access-control/ise-distributed-psns-associated-to-specific-rsa-servers/m-p/3518435#M510677 <HTML><HEAD></HEAD><BODY><P>I don't think you can use node groups in Auth criteria, but just use the PSN hostname attribute:</P><P></P><P><IMG alt="Capture.JPG" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/116614_Capture.JPG" style="height: 188px; width: 620px;" /></P></BODY></HTML> Wed, 18 Apr 2018 16:49:34 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-psns-associated-to-specific-rsa-servers/m-p/3518435#M510677 paul 2018-04-18T16:49:34Z https://community.cisco.com/t5/network-access-control/ise-distributed-psns-associated-to-specific-rsa-servers/m-p/3518436#M510679 <HTML><HEAD></HEAD><BODY><P>Paul is correct that PSN node groups are not available as authentication policy conditions and they are more for ISE profiling replications.</P><P></P><P>If you meant network devices in the same network device groups use the same sets of PSNs, then you may use the network device grouping as the authentication policy conditions.</P></BODY></HTML> Wed, 25 Apr 2018 03:17:26 GMT https://community.cisco.com/t5/network-access-control/ise-distributed-psns-associated-to-specific-rsa-servers/m-p/3518436#M510679 hslai 2018-04-25T03:17:26Z