how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

kumarrak1 — Wed, 14 Jun 2017 19:36:13 GMT

how to restrict a tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

Re: how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

paul — Wed, 14 Jun 2017 21:26:17 GMT

That is a common setup for world wide deployments. You have two methods to tackle this. You can write rules from the perspective of the geographic region or from the device type perspective. Device Type might be the easiest and would look something like this given standard region names (only showing router and switches and a few regions):

Device Types

All Device Types

Switch

Router

Locations

All Locations

North America

Wisconsin

Illinois

EMEA

Germany

England

APAC

China

Japan

Switch Policy Set

Policy Set Criteria- Device Type equals All Device Types#Switch

Authentication Criteria- wherever you are authenticating users against

Authorization Rules:

If member of Global Network Admin group then full access
If member of North America Network Admin group and switch location begins with All Locations#North America then full access
If member of EMEA Network Admin group and switch location begins with All Locations#EMEA then full access
If member of AsiaPac Network Admin group and switch location begins with All Locations#APAC then full access

Router Policy Set

Policy Set Criteria- Device Type equals All Device Types#Router

Authentication Criteria- wherever you are authenticating users against

Authorization Rules:

If member of Global Network Admin group then full access
If member of North America Network Admin group and switch location begins with All Locations#North America then full access
If member of EMEA Switch Network group and switch location begins with All Locations#EMEA then full access
If member of AsiaPac Switch Network group and switch location begins with All Locations#APAC then full access

Then build this out as needed. I usually break out device types even if the access rules are identical to allow for future use cases where different users may administer routers vs. switches.

Re: how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

kthiruve — Fri, 16 Jun 2017 16:00:41 GMT

You can also use user groups, say if your users are part of Active directory user groups.

If you want greater granularity to accommodate a pool of common administrators accessing many devices, you can use a combination of Network device groups and Active directory groups.

-Krishnan

topic Re: how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations. in Network Access Control

how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

Re: how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

Re: how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.