topic ISE - Policy Set query in Network Access Control

ISE - Policy Set query

Rajiv Mishra — Tue, 30 Jun 2020 01:31:37 GMT

Hello All

While planning i came across this scenario and just want to cross check with the community.

Hypothetical situation:

If i have two vendor supporting my network devices ( say two vendors X and Y )

X supports security devices say ASA firewalls

Y supports LAN/WAN devices say Switches and ISR routers

They both should not be able to login into each others managed devices.

X should not be able to login with a ssh into ISR

Y should not be able to ssh into ASA

On ISE:

-I define two NDG - Security_Devices and IOS_Devices

-I define two DAG - X_Staff and Y_Staff

Is there a way i can set a authentication policy that blocks X_Staff to authenticate on IOS_Devices ? and vice versa?

As far as i understand, authentication can not be conditioned using "DAG" and I have no way to restrict authentication of X_Staff on IOS devices ? I can limit/deny authorization but not authentication.

Does that sound correct? Anyone can "authenticate" into any device as long as they are part of same identity source ?

thanks in advance

Re: ISE - Policy Set query

jeaves@cisco.com — Fri, 10 Jul 2020 14:38:35 GMT

Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.

If it's purely for authentication then have you looked at TACACS?

Re: ISE - Policy Set query

aosorno — Fri, 10 Jul 2020 19:00:36 GMT

I think what you need is to configure authorization policies you can set permission to enter only the network elements you define.

Re: ISE - Policy Set query

hslai — Sat, 11 Jul 2020 18:19:02 GMT

You are correct and both responders Joff and aosomo provided some inputs.

If you need some example, see ISE Device Administration resources for TACACS+ and RADIUS especially ISE Device Administration Prescriptive Deployment Guide