cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

76
Views
5
Helpful
1
Replies
Beginner

Device Administration Radius - authz profiles

Hello everyone,

 

we are planing to use ISE for device administration for a large scale sp-like customer. We are using free-radius and want to replace it with ISE. 

 

We have a complex environment, therefore our goal is to keep policies as simple as possible.

 

There are about 10 different departments each with its own network admin team, which is divided in 5 different teams like security, switching, routing etc. Within these teams we will have privileges WRITE, READ and LIMITED. Additionally we have to differentiate in the authorisation profiles between several vendors.

 

 

I have to assign more then one authz result to a authz policy. 

So the authz policy would be something like the attached screenshot.

 

So my question/concern is about authz profile:

  • Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.
  • Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?
  • Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?

Thanks in advance for your input.

CengizUntitled 4.png

1 REPLY 1
Cisco Employee

Re: Device Administration Radius - authz profiles

  • Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.

This depends on the NADs -- whether NADs able to ignore the attributes they do not understand.

 

  • Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?
  • Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?

If the RADIUS authorization profiles differing in the RADIUS vendor dictionaries used, then you may use NAD profiles and select the list of RADIUS vendor dictionaries available to a particular NAD profile. See How To: Create Network Access Device Pr... - Cisco Community