cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
5
Helpful
1
Replies

Device Administration Radius - authz profiles

Cengiz Savas
Level 1
Level 1

Hello everyone,

 

we are planing to use ISE for device administration for a large scale sp-like customer. We are using free-radius and want to replace it with ISE. 

 

We have a complex environment, therefore our goal is to keep policies as simple as possible.

 

There are about 10 different departments each with its own network admin team, which is divided in 5 different teams like security, switching, routing etc. Within these teams we will have privileges WRITE, READ and LIMITED. Additionally we have to differentiate in the authorisation profiles between several vendors.

 

 

I have to assign more then one authz result to a authz policy. 

So the authz policy would be something like the attached screenshot.

 

So my question/concern is about authz profile:

  • Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.
  • Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?
  • Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?

Thanks in advance for your input.

CengizUntitled 4.png

1 Reply 1

hslai
Cisco Employee
Cisco Employee
  • Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.

This depends on the NADs -- whether NADs able to ignore the attributes they do not understand.

 

  • Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?
  • Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?

If the RADIUS authorization profiles differing in the RADIUS vendor dictionaries used, then you may use NAD profiles and select the list of RADIUS vendor dictionaries available to a particular NAD profile. See How To: Create Network Access Device Pr... - Cisco Community

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: