cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

132
Views
5
Helpful
3
Replies
Highlighted
Beginner

ISE authentication policy

Hi,

I have five different locations for one of the client.

Each location is having 2 to 3 network device.

I want to give local site administrator the privilege to change their local device config only.

Also, one superadmin should be able to change the config on all site devices.

Is it possible to do it under one policy in Device admin policy set?

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: ISE authentication policy

Yes you could accomplish this in one device admin policy. Focus on your authz conditions. Quick example of how you could accomplish your requirement:
AD: External Groups Equals LOCATION1
AND
DEVICE-Device Type Equals LOCATION1 devices
Then push Shell profile containing read only

Good luck & HTH!
3 REPLIES 3
Rising star

Re: ISE authentication policy

Yes you could accomplish this in one device admin policy. Focus on your authz conditions. Quick example of how you could accomplish your requirement:
AD: External Groups Equals LOCATION1
AND
DEVICE-Device Type Equals LOCATION1 devices
Then push Shell profile containing read only

Good luck & HTH!
VIP Advisor

Re: ISE authentication policy

Absolutely possible. Your devices should be in separate NDGs. Then create a
policy to match the NDG with AD group (if they are AD users) and assign
authorization rules. I am assuming that you have them in separate AD group
or you can use any other form of separation between the users (username for
example).


**** remember to rate useful posts
Beginner

Re: ISE authentication policy

I configured a Device type which contained the main group for that Client.

Also configured device groups for different sites. e.g. 5 groups for 5 sites.

Then I configured a policy in policy sets so that it will match All devices for that client.

After that, I configured authorization policy and in the condition, I used logical AND of site_1 and internal user.

This did the trick for me.

Everyone's tags (1)