Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
3
Replies

Configuring dynamic policy sets on Cisco ISE for TACACS+

Paolo Di Filippa
Level 1
Level 1

‎04-21-2022 01:58 AM

Hello Community,

my customer wants to implement TACACS+ for managing user admin access to its network devices.

 

For each site the customer wants to allow login to network devices to two different type of users : Read Only (RO) and Read Write (RW).

So for each site there will be a dedicated AD group for RO-users and a dedicated AD group for RW-users

 

Requirements are:

- RO-users of site X have to be allowed to login in RO only to network devices of site X but they don't have to be allowed to login on other sites devices

- RW-users of site X have to be allowed to login in RW only to network devices of site X but they don't have to be allowed to login on other sites devices

 

The main constraint is that there are arount 100 sites so making a policy set per each site would not be a very efficient solution.

I would appreciate if someone can suggest me how to define a policy set that can authenticate and autorize users dinamically looking at the AD group and at the NAD name.

 

Many thanks in advance for your help.

Paolo

0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎04-21-2022 08:50 PM

Hi

 

 instead of having 1 policy-set per site, have you tried leveraging device location attributes (or any other custom attributes)?

 You can use this attribute combined with user AD group membership on authorization policy, all within 1 policy-set. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Paolo Di Filippa
Level 1
Level 1
In response to Francesco Molino

‎05-03-2022 01:06 AM

Hi Francesco

and thanks for your advice.

Yes I tought to apply this solution but I realized that this would just move the problem to the authorization policy layer.

I mean, ok I can create only one policy set but then I have to create one authorization policy for each site.

And this will bring me to the starting point.

Am I wrong?

Many thanks for your help.

Paolo

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Paolo Di Filippa

‎05-10-2022 05:47 PM

You're right you will have multiple rules instead of multiple policy-sets.

 

But i don't see any workaround based on your needs.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents