topic Re: ISE endpoint identity groups in Network Access Control

ISE endpoint identity groups

cgm — Fri, 07 Jan 2022 20:21:00 GMT

Hi, happy new year!

It used to be the case that profile type was not readily available to use in authorization policies, but that is no longer the case. So what is the current use case for identity groups ? Just a higher order classification ?

TIA,

-Carlos

Re: ISE endpoint identity groups

Damien Miller — Fri, 07 Jan 2022 21:59:30 GMT

It allows for a lot more freedom when grouping endpoints. A good example of this is using endpoint identity groups for static whitelists, or using them for iPSK. In both these cases you can have multiple endpoint types that wouldn't share the same profile but need the same treatment from an authz perspective.

Re: ISE endpoint identity groups

cgm — Fri, 07 Jan 2022 22:09:45 GMT

Great, so a higher order classification it is then.

It surprised me though that as a classification, an endpoint can not belong to more than one group,

and being that Profiled is one of the branches, when an endpoint is moved to GuestEndpoints, you "loose" its original type so to say.