topic Re: Regional Admin delegation for ISE distributed Setup in Network Access Control

Regional Admin delegation for ISE distributed Setup

bawagne — Mon, 11 Mar 2019 08:52:01 GMT

Hello,

I have a customer that intend to have a distributed deployments in several regions.

Each region will have a group of 2 PSNs.

They want to delegate admin per region.

So i want to understand down to which level can we delegate the admin right; Policy for each region? PSN for each? Data Logs for region? NAD for each region?

I have gone through the below document which gives details on how to give different admin right on the PAN not really my use case which more base a delegation based on location.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0101.html

Best Regards,

Babacar

Re: Regional Admin delegation for ISE distributed Setup

Arne Bier — Thu, 15 Nov 2018 10:37:13 GMT

If you intend on having multiple PSN's spread over multiple regions, but the entire deployment managed by two PAN nodes, then I am pretty sure you cannot perform RBAC (Role Based Access Control) down to PSN level. I have only seen menu options that can be customised, and then the data access (read/write type of access) - but this applies to particular functions that span across all PSN's.

You're thinking of how Prime Infrastructure does its hierarchical access using Operations Centre, and then using Virtual-Domains etc. That concept does not apply to ISE. I would hazard a guess and say you'd need to deploy multiple PAN/MnT/PSN pairs all over the place if you want that sort of role based segregation.

Re: Regional Admin delegation for ISE distributed Setup

bawagne — Mon, 19 Nov 2018 08:23:31 GMT

Many Thanks Arne.

Babacar

Re: Regional Admin delegation for ISE distributed Setup

bawagne — Mon, 19 Nov 2018 08:23:57 GMT

Many Thanks Arne.

Babacar