Hello everyone,
we are planing to use ISE for device administration for a large scale sp-like customer. We are using free-radius and want to replace it with ISE.
We have a complex environment, therefore our goal is to keep policies as simple as possible.
There are about 10 different departments each with its own network admin team, which is divided in 5 different teams like security, switching, routing etc. Within these teams we will have privileges WRITE, READ and LIMITED. Additionally we have to differentiate in the authorisation profiles between several vendors.
I have to assign more then one authz result to a authz policy.
So the authz policy would be something like the attached screenshot.
So my question/concern is about authz profile:
- Afaik when I have more then one authz profile assigned to a policy all attributes will be send to NAD. Would that have any impact on the NAD, when e.g. Cisco device receives radius attributes from other vendors.
- Is there maybe a better approach to design policies? I want to avoid to multiply the set of authz policies (see screenshot) by the number of vendors?
- Is there maybe a more intelligent approach where ISE chooses the authz profile which fits to the NAD? Maybe roadmap?
Thanks in advance for your input.
Cengiz