Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
197
Views
1
Helpful
2
Replies

Is it possible to assign a policy to a specific PSN node group?

Go to solution
JPavonM
VIP
VIP

ā€Ž07-11-2024 12:40 AM

I canot find the answer to this question on ISE Admin guide, and it seems to me that Node Group only functionality is to detect a failure between PSN nodes that belong to a specific group so to keep the sessions active. (I may be wrong)

Is it possible to create a policy for device admin with NPS and MFA per region? What I'm trying to get is that every ISE PSN in one region use the NPS for MFA in the same region as primary option, and the other region as alternate. The identitiy source sequence does not address this regional issue and one solution would be to have 2 sequences and then create a different policy to the specific node group (EMEA and APAC), OR use a load-balancer and use topology to detect the location of the ISE PSN and redirect the request to the NPS in that region.

The alternate methods could be:
   1) Use "Dictionary=Network Access" AND "Attribute=ISE Host Name" to detect the PSN that originates the request
   2) Use "Dictionary=DEVICE" AND "Attribute=Location" to detect the geography if this is properly created

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

ā€Ž07-11-2024 12:51 PM

No option for matching an ISE PSN Node Group exists today. Your closest option is to user Network-Access:ISE-Host-Name for any of the nodes in your node group(s). If you want this, you will want to wish for a new ISE feature @ https://cs.co/ise-wish

image.png

Typically location-based policy is handled by any PSN - without concern for any node groups - using a Network Device Group (NDG) specified in Device:Location, your option #2.

image.png

View solution in original post

2 Replies 2

Go to solution
thomas
Cisco Employee
Cisco Employee

ā€Ž07-11-2024 12:51 PM

No option for matching an ISE PSN Node Group exists today. Your closest option is to user Network-Access:ISE-Host-Name for any of the nodes in your node group(s). If you want this, you will want to wish for a new ISE feature @ https://cs.co/ise-wish

image.png

Typically location-based policy is handled by any PSN - without concern for any node groups - using a Network Device Group (NDG) specified in Device:Location, your option #2.

image.png

Go to solution
JPavonM
VIP
VIP

ā€Ž07-12-2024 12:26 AM

Thanks @thomas for your expert comment on the different options.

0 Helpful
Customers Also Viewed These Support Documents