topic Re: scale information about ISE2.2 in Network Access Control

scale information about ISE2.2

naogawa — Mon, 08 May 2017 07:35:21 GMT

Q1. Max number of Endpoint identity groups we can configure.

customer needs 200 endpoint identity groups.

Q2. Max number of Authorization profiles we can configure.

customer needs 400 Authorization profiles.

Re: scale information about ISE2.2

hslai — Tue, 09 May 2017 00:32:22 GMT

500 EP ID groups; 600 authz profiles.

Re: scale information about ISE2.2

Craig Hyps — Wed, 10 May 2017 18:25:17 GMT

Additionally, under ISE 2.2 we validated the following specific to auth policy rules...

Re: scale information about ISE2.2

naogawa — Thu, 11 May 2017 00:40:39 GMT

Thank you so much!

Re: scale information about ISE2.2

naogawa — Thu, 11 May 2017 00:41:05 GMT

Thank yo so much. your information is really helpful.

Re: scale information about ISE2.2

naogawa — Wed, 30 Aug 2017 05:27:28 GMT

customer demand us they need over 1000 identity groups.

is there any roadmap to increase the scale?

we need the information o respond RFP.

Re: scale information about ISE2.2

hslai — Wed, 30 Aug 2017 05:51:34 GMT

Please contact ISE PM team on roadmap inquiries.

Re: scale information about ISE2.2

Craig Hyps — Wed, 30 Aug 2017 13:05:31 GMT

The original post was about Auth Policy (Policy Sets, AuthC Rules, AuthZ Rules). Your last request was about Identity Groups. I recommend reassessing the need for so many identity groups. Did you know that ISE 2.1 and above support endpoint custom attributes? You could assign unique values to the custom attribute that can translate into unique group value, and then apply policy based on that. However, you still do not want a policy where you get into "If Group=X" or "If CustomAttr1=X", then permit..., because you would have a rule explosion. It is best to have policy leverage dynamic attributes where the value assignment is based on value assigned to internal or external ID store. Example: Set VLAN or SGT based on value assigned to customer attribute, or to AD/LDAP attribute for given user/endpoint. This way you consolidate many rules into one or few.

/Craig

Re: scale information about ISE2.2

naogawa — Fri, 08 Sep 2017 07:40:34 GMT

Thank you for your comments.

I would like to know how to set endpoint custom attribute based LDAP attribute for given user/endpoint.

I want to set unique endpoint custom attribute based on LDAP attribute for given user/endpoint.

is it possible using authorization policy rule?

customer wants to handle and assignment 1000VLANs based on LDAP attribute for given user/endpoint.

but Identity Groups's limit is 500 so, I 'm thinking using also custom attributes.

your comments would be really appreciated.

-Customer's authentication/authorization flow,

1.When an endpoint accesses to network first time,

the endpoint's mac address authentication is failed because it is not un-registered

and is authorized by CWA with LDAP user/password.

2.During this time, register the endpoints to Identity Groups and

(want to set custom attributes also but i don't know how to set this) based on LDAP attribute for given user/endpoint

3.Assign VLAN based on LDAP attribute for given user/endpoint

4. on the 2nd network access of the endpoints, the endpoint's mac address authentication is passed

and assign VLAN based on Identity Group and Custom attribute

Thanks

Nana

Re: scale information about ISE2.2

Craig Hyps — Fri, 08 Sep 2017 12:40:01 GMT

You cannot dynamically assign custom attribute today based on auth result, unless performed some external scripting to perform such update. Such scripting is outside the scope of forum but could be triggered based on RADIUS auth log events.

Note that most cases, the endpoint will continue to Authorization anyway even if not yet learned by ISE, so authorization policy matching ends up being the same.

If already know the VLAN that you want user to be assigned to, then add that as a field in their AD/LDAP record and then configure Authorization Profile to set VLAN dynamically based on the attribute value. In example below, the user record in AD was updated so that the PostalCode attribute had the VLAN number or name for the user. Same applies to LDAP.

/Craig