Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
5
Helpful
3
Replies

ISE authentication policy

Go to solution
umeshunited
Level 1
Level 1

‎07-03-2019 12:26 PM

Hi,

I have five different locations for one of the client.

Each location is having 2 to 3 network device.

I want to give local site administrator the privilege to change their local device config only.

Also, one superadmin should be able to change the config on all site devices.

Is it possible to do it under one policy in Device admin policy set?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-03-2019 12:47 PM

Yes you could accomplish this in one device admin policy. Focus on your authz conditions. Quick example of how you could accomplish your requirement:
AD: External Groups Equals LOCATION1
AND
DEVICE-Device Type Equals LOCATION1 devices
Then push Shell profile containing read only

Good luck & HTH!

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-03-2019 12:47 PM

Yes you could accomplish this in one device admin policy. Focus on your authz conditions. Quick example of how you could accomplish your requirement:
AD: External Groups Equals LOCATION1
AND
DEVICE-Device Type Equals LOCATION1 devices
Then push Shell profile containing read only

Good luck & HTH!

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-03-2019 10:07 PM

Absolutely possible. Your devices should be in separate NDGs. Then create a
policy to match the NDG with AD group (if they are AD users) and assign
authorization rules. I am assuming that you have them in separate AD group
or you can use any other form of separation between the users (username for
example).


**** remember to rate useful posts
0 Helpful

Go to solution
umeshunited
Level 1
Level 1

‎07-16-2019 04:03 PM

I configured a Device type which contained the main group for that Client.

Also configured device groups for different sites. e.g. 5 groups for 5 sites.

Then I configured a policy in policy sets so that it will match All devices for that client.

After that, I configured authorization policy and in the condition, I used logical AND of site_1 and internal user.

This did the trick for me.

Preview file
61 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents