Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
5
Helpful
3
Replies

ISE 2.4 feature - only give SOME pepole have full access to SOME Cisco router/switch

Go to solution
kevin.tang
Level 1
Level 1

‎03-12-2019 08:12 PM

Hi,

I have a inquiry for the large organization. How to config the ISE 2.4, only give some people that have full access to some of the Cisco devices that have AAA link to the same ISE server.

Regards

Kevin

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to kevin.tang

‎03-13-2019 08:13 PM

You just create your Location NDGs to accomplish what you want.  The classic example is a world wide company with global admins, regional admins (NA, LATAM, EMEA and APAC) and country level admins.  So your Location structure can look like this:

 

All Locations

  North America

  LATAM

    Brazil

  EMEA

    France

  APAC

 

Then you can write policy sets at the theater level.   So lets say France and Brazil have country level admins but the rest of the region doesn't

 

Policy Set- LATAM (if Location starts with All Locations#LATAM)

  1. If member of global admin AD group full access
  2. If member of LATAM region AD group full access
  3. If Location of device is Brazil and Brazil AD group full access

Build out your policy set as granular as you want using location attributes.

 

 

 

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-12-2019 08:37 PM

Hi

Are you using tacacs or radius?
Anyway, you can put all devices with same aaa server into a dedicated group (e.g. like location group) and in your authorization policy you can push privilege 15 when a user authenticate himself on devices for this specific group.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
kevin.tang
Level 1
Level 1
In response to Francesco Molino

‎03-13-2019 02:30 PM

Hello,

We are using TACACS only. We have one AAA system (Primary ISE and Secondary ISE) to manage about 5000 Cisco devices.

But some local Administrators want to have full access of their 10 Cisco devices.

I can understand to group those 10 Cisco devices, and create those local Administrators in a group.

But how to create the Authorization Policy that only allow those local Administrators to control those 10 Cisco devices? I do not want them to access my other 4990 devices.  Also my accounting should be work too.

some step by step guide will be great.

Regards

 

Kevin

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to kevin.tang

‎03-13-2019 08:13 PM

You just create your Location NDGs to accomplish what you want.  The classic example is a world wide company with global admins, regional admins (NA, LATAM, EMEA and APAC) and country level admins.  So your Location structure can look like this:

 

All Locations

  North America

  LATAM

    Brazil

  EMEA

    France

  APAC

 

Then you can write policy sets at the theater level.   So lets say France and Brazil have country level admins but the rest of the region doesn't

 

Policy Set- LATAM (if Location starts with All Locations#LATAM)

  1. If member of global admin AD group full access
  2. If member of LATAM region AD group full access
  3. If Location of device is Brazil and Brazil AD group full access

Build out your policy set as granular as you want using location attributes.

 

 

 

Customers Also Viewed These Support Documents