cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

823
Views
2
Helpful
4
Replies
Highlighted
Beginner

How to segregate device admin access to a device group on ISE

Hi,

I'm trying to see if it's possible to have ISE use it's RBAC feature to allow a specific group of people administer devices that are part of one device group without allowing them to see anything else. I've been doing some testing and even though the Data Permission for the Admin group only allows full rights to one device group, the user is still able to see and modify all devices.

Is there any way to limit this?

Thanks,

Miguel

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: How to segregate device admin access to a device group on ISE

You may use RBAC based on custom network device groups, but not the default ones. See CSCvb55884.

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: How to segregate device admin access to a device group on ISE

You need to tweak menu access. I am not sure if you are referring to Network device groups which is a logical way to categorize devices etc in policy sets. This is different than RBAC.

Here are a few things to think about from RBAC.

1. First try and determine the roles of these administrators to get an idea what they need access to.

2. Map these roles to already existing groups in ISE or create a new one.

3. Use combination of menu and data access to prevent access to UI and configuration.

-Krishnan

Highlighted
Beginner

Re: How to segregate device admin access to a device group on ISE

Thanks for the quick reply.

Yep, I have the AD group assigned to the users in question and the menu access, etc. You are correct, I'm referring to the Network Device groups. Essentially, what I'd like to do is the following:

1. Tim is an admin of the switches in Site 1

2. In ISE I, as the Super Admin of the entire TACACS environment, create the policies to allow Tim to log into his switches and place them into a Network Device Group that he can access. I also give him access based on his AD group to log into ISE and administer the devices within that Network Device Group.

3. Tim logs into ISE and all he sees under Network Devices, are the devices which are part of the Network Device Group that I allow him to see via ISE RBAC.


Is this possible?

Under the Data Permissions I can see that I limit it to a specific Network Device Group, but the user is still able to see and edit all Network Devices that exist, not only the ones that are part of the specific Network Device Group.

Highlighted
Cisco Employee

Re: How to segregate device admin access to a device group on ISE

You may use RBAC based on custom network device groups, but not the default ones. See CSCvb55884.

View solution in original post

Highlighted
Beginner

Re: How to segregate device admin access to a device group on ISE

Hi Everyone

I have a Design-Question regarding RBAC (trying to avoid CSCvb55884 - related to the Default Network device Groups):
Does anyone use a Design that actually works and which fulfils the following needs:
1. Having ca 20 Sites with Local Admins - which should be able to Add, Change, Delete "their" local-site NAD's in ISE
2. The Site admins should not have access to view NAD-Configuration from other Sites
3. There are Global Technology-Administrator-Groups which should be able to manage only specific Devices Types which are located Centrally and Locally on different sites within ISE
(like central and decentral Firewalls, Switching/Routing, Proxy and so on)

In short : The ISE RBAC-requirements are for the data access:
- ISE Admin-Group Access: Condition: if NAD-Location AND NAD-Type = then Permit access

The testing ive been doing until now has shown a ISE RBAC logic as following:
- ISE Admin-Group Access: Condition: if NAD-Location OR NAD-Type = then Permit access
(and this does not provide enough restricted access enough - and when designing one "Network device Tree" with both "conditions" within that tree - it does not scale = i get hundred / thousands of Groups reflecting each location with all the different device-types within it..

Anyone else knowing how to solve this limitation?