topic Re: ISE Authorization Policy - Network Device Management in Network Access Control

ISE Authorization Policy - Network Device Management

Dan Man — Wed, 07 Oct 2020 12:35:08 GMT

First of all, thank you in advance for reading my question!

I've created a policy set, in which I've added a Network Management set to manage our network equipment. I've added the devices to the Network devices. Created the authentication and authorization policies. It works great! Here's my issue. When I create the network devices, I add a location to each device, and then I've added that location to the "All Locations" group. Is there a way(and I've already tried, but it's not working), where in the Authorization policy, I can add the "All Locations" option, so that I don't have to add each switch device IP into the authorization policy? All I have to do is add the network device, set up its location, and add that location to the "All Locations" group, and that's it. Just curious if that's even possible. It would suck to have to add the switch to the Network devices, and then have to add the device IP to the authorization policy. Thanks again!

Re: ISE Authorization Policy - Network Device Management

Mike.Cifelli — Wed, 07 Oct 2020 13:28:28 GMT

Within authz policies you have the ability to utilize DEVICE:Device Type condition which would allow you to drive policy based on the type (owner/building/etc.). Another condition you can utilize is Network Access: NetworkDeviceName. That condition could be possible for your scenario. For example: if all your switch names start with ABCDEF you could use this condition: Network Access: NetworkDeviceName STARTSWITH: ABCDEF.

HTH!

Re: ISE Authorization Policy - Network Device Management

Dan Man — Tue, 13 Oct 2020 20:11:16 GMT

Mike, thank you! This worked fantastically for me! I appreciate it!