01-14-2022 07:50 AM
I am using Cisco ISE 3.0 in the environment where i have created Internal Users in ISE Identity Management.
I created and assigned users in 2 identity groups namely L3 and helpdesk
My requirement is that certain users need to have Write access to some devices and Read only to other devices but in conditions i dont see any mapping wrt to username ..all are based on identity groups
Is it possible to achieve this ?
Solved! Go to Solution.
01-15-2022 08:57 PM
Hi
Just for my information, you're talking about radius or tacacs?
The difference between write and read accesses are the same for all users with the same group?
Example: All users from L3 groups will have the same rights or they could have different rights?
If users within the same group have different rights, then you will need to create different groups and create the policy accordingly.
Example:
you can create groups like:
- RW_CORE: full access to core switches
- RO_CORE: read only access to core switches
- RW_ROUTERS: full access to core switches
- RO_ROUTERS: read only access to core switches
- RW_ACCESS: full access to core switches
- RO_ACCESS: read only access to core switches
So if you have mixed right for every users, you can just assign them the correct group:
a user who needs RW on CORE and ACCCESS but only RO on Routers will have the groups: RW_CORE, RW_ACCESS, RO_ROUTERS
Does that make sense?
01-15-2022 08:57 PM
Hi
Just for my information, you're talking about radius or tacacs?
The difference between write and read accesses are the same for all users with the same group?
Example: All users from L3 groups will have the same rights or they could have different rights?
If users within the same group have different rights, then you will need to create different groups and create the policy accordingly.
Example:
you can create groups like:
- RW_CORE: full access to core switches
- RO_CORE: read only access to core switches
- RW_ROUTERS: full access to core switches
- RO_ROUTERS: read only access to core switches
- RW_ACCESS: full access to core switches
- RO_ACCESS: read only access to core switches
So if you have mixed right for every users, you can just assign them the correct group:
a user who needs RW on CORE and ACCCESS but only RO on Routers will have the groups: RW_CORE, RW_ACCESS, RO_ROUTERS
Does that make sense?
01-18-2022 09:08 AM
Thanks for your reply.. i exactly went about it like this only.. user privilige was distributed among various types of devices so i created L3 & L2 groups and mapped them accordingly.
01-20-2022 06:32 PM
glad it's working accordingly to your requirements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide