Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2108
Views
3
Helpful
2
Replies

how to restrict a ISE tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

Go to solution
kumarrak1
Level 1
Level 1

‎06-14-2017 12:36 PM

how to restrict a tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations.

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎06-14-2017 02:26 PM

That is a common setup for world wide deployments.  You have two methods to tackle this.  You can write rules from the perspective of the geographic region or from the device type perspective.    Device Type might be the easiest and would look something like this given standard region names (only showing router and switches and a few regions):

Device Types

All Device Types

     Switch

     Router

Locations

All Locations

     North America

          Wisconsin

          Illinois

     EMEA

          Germany

          England

     APAC

          China

          Japan

Switch Policy Set


Policy Set Criteria- Device Type equals All Device Types#Switch

Authentication Criteria- wherever you are authenticating users against

Authorization Rules:

  1. If member of Global Network Admin group then full access
  2. If member of North America Network Admin group and switch location begins with  All Locations#North America then full access
  3. If member of EMEA Network Admin group and switch location begins with All Locations#EMEA then full access
  4. If member of AsiaPac Network Admin group and switch location begins with All Locations#APAC then full access


Router Policy Set


Policy Set Criteria- Device Type equals All Device Types#Router

Authentication Criteria- wherever you are authenticating users against

Authorization Rules:

  1. If member of Global Network Admin group then full access
  2. If member of North America Network Admin group and switch location begins with  All Locations#North America then full access
  3. If member of EMEA Switch Network group and switch location begins with All Locations#EMEA then full access
  4. If member of AsiaPac Switch Network group and switch location begins with All Locations#APAC then full access

Then build this out as needed.  I usually break out device types even if the access rules are identical to allow for future use cases where different users may administer routers vs. switches.

View solution in original post

2 Replies 2

Go to solution
paul
Level 10
Level 10

‎06-14-2017 02:26 PM

That is a common setup for world wide deployments.  You have two methods to tackle this.  You can write rules from the perspective of the geographic region or from the device type perspective.    Device Type might be the easiest and would look something like this given standard region names (only showing router and switches and a few regions):

Device Types

All Device Types

     Switch

     Router

Locations

All Locations

     North America

          Wisconsin

          Illinois

     EMEA

          Germany

          England

     APAC

          China

          Japan

Switch Policy Set


Policy Set Criteria- Device Type equals All Device Types#Switch

Authentication Criteria- wherever you are authenticating users against

Authorization Rules:

  1. If member of Global Network Admin group then full access
  2. If member of North America Network Admin group and switch location begins with  All Locations#North America then full access
  3. If member of EMEA Network Admin group and switch location begins with All Locations#EMEA then full access
  4. If member of AsiaPac Network Admin group and switch location begins with All Locations#APAC then full access


Router Policy Set


Policy Set Criteria- Device Type equals All Device Types#Router

Authentication Criteria- wherever you are authenticating users against

Authorization Rules:

  1. If member of Global Network Admin group then full access
  2. If member of North America Network Admin group and switch location begins with  All Locations#North America then full access
  3. If member of EMEA Switch Network group and switch location begins with All Locations#EMEA then full access
  4. If member of AsiaPac Switch Network group and switch location begins with All Locations#APAC then full access

Then build this out as needed.  I usually break out device types even if the access rules are identical to allow for future use cases where different users may administer routers vs. switches.

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to paul

‎06-16-2017 09:00 AM

You can also use user groups, say if your users are part of Active directory user groups.

If you want greater granularity to accommodate a pool of common administrators accessing many devices, you can use a combination of Network device groups and Active directory groups.

-Krishnan

0 Helpful
Customers Also Viewed These Support Documents