Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2415
Views
0
Helpful
4
Replies

Access policy for MyDevices Portal

Go to solution
vigogne
Level 1
Level 1

‎03-25-2021 10:45 PM

Tell me please. Is it is possible to create an access policy for the MyDevices portal to allow access only to a certain group in AD?
At the moment, I have done this way:

In the Identity Source Sequences at MyDevice_Portal_Sequence I left "Internal Users" Identity Source only. Then I added the Network Access User with the same name as in the AD Database and password type as AD Sequence.

It works, but it is very inconvenient and not flexible.

 

And second question. How can I modify MyDevices Portal for add in standard form combo-box with selecting endpoint group?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-27-2021 05:09 PM

Unfortunately you have stumbled upon an area that has frustrated many. As you found, the RBAC for the My devices portal is non existent, you map AD then everyone has access. This certainly is not an ideal situation for the vast majority of use cases. Compounding the issue, the portal is tied to a specific endpoint ID group, you need a portal per ID group you want to add endpoints in to. Due to this, it's almost always better to build an external portal leveraging the ERS APIs so you can do RBAC and endpoint ID group selction. 

If a portal per identity group doesn't deter you, then you can look at Craig's old guide on adding RBAC to the my devices portal. Craig's document is old, and full of 1.3 screenshots, so it looks different, but it's all still valid. 
https://community.cisco.com/t5/security-documents/ise-sponsor-amp-my-devices-authorization-on-secondary-attributes/ta-p/3641379

View solution in original post

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to vigogne

‎03-29-2021 12:54 PM

It is not possible to add an identity group selection to the built in my devices portal, you need a unique portal per ID group. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-27-2021 05:09 PM

Unfortunately you have stumbled upon an area that has frustrated many. As you found, the RBAC for the My devices portal is non existent, you map AD then everyone has access. This certainly is not an ideal situation for the vast majority of use cases. Compounding the issue, the portal is tied to a specific endpoint ID group, you need a portal per ID group you want to add endpoints in to. Due to this, it's almost always better to build an external portal leveraging the ERS APIs so you can do RBAC and endpoint ID group selction. 

If a portal per identity group doesn't deter you, then you can look at Craig's old guide on adding RBAC to the my devices portal. Craig's document is old, and full of 1.3 screenshots, so it looks different, but it's all still valid. 
https://community.cisco.com/t5/security-documents/ise-sponsor-amp-my-devices-authorization-on-secondary-attributes/ta-p/3641379

0 Helpful

Go to solution
vigogne
Level 1
Level 1
In response to Damien Miller

‎03-28-2021 09:57 PM

Thanks a lot for your answer. It is regrettable to hear about such shortcomings in a program created for precisely these purposes.

 

But how about my second question? Can I customize the Mydevice Portal for adding combo-box with select a Endpoint Identity Group?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to vigogne

‎03-29-2021 12:54 PM

It is not possible to add an identity group selection to the built in my devices portal, you need a unique portal per ID group. 

0 Helpful

Go to solution
vigogne
Level 1
Level 1
In response to Damien Miller

‎03-29-2021 10:50 PM

Weird flex, but ok )

0 Helpful
Customers Also Viewed These Support Documents