Solved: Cisco ISE - Limit Username to 1 device (TACACS)

administrator31 · ‎12-11-2019

Issue: I have 1 username within CISCO ISE that I wish to limit to only being able to TACACS into 1 device.

e.g. BOB SMITH can SSH / WebUI into device X only..

I have been testing with Policy Sets / Policy Elements. Not sure if I'm on the correct path..

tobarows · ‎12-11-2019

Yes, you can go that route. Within TACACS+ authentication policy you can set conditions such as "Network-Access Username EQUALS <username> AND Device-Hostname EQUALS <hostname>". Do not quote me on those condition names, as I do not have them handy to double check. It can be done that way, though. This solution also assumes that your default authentication policy would be to deny access. So, if this user does not match both the username and hostname attributes, they will implicitly fail authentication.

Edit: This can also be achieved by adding different devices to "Device Groups" and checking what group the device they are authenticating from is in.

View solution in original post

tobarows · ‎12-11-2019

Yes, you can go that route. Within TACACS+ authentication policy you can set conditions such as "Network-Access Username EQUALS <username> AND Device-Hostname EQUALS <hostname>". Do not quote me on those condition names, as I do not have them handy to double check. It can be done that way, though. This solution also assumes that your default authentication policy would be to deny access. So, if this user does not match both the username and hostname attributes, they will implicitly fail authentication.

Edit: This can also be achieved by adding different devices to "Device Groups" and checking what group the device they are authenticating from is in.