This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Can somebody tell me what the supported number of device groups is in ISE2.2, for ISE 2.1 I believe the number is 100.
I have general question about tacacs authentication policy.
Suppose I have +- 500 locations at each location we have a local admin that is allowed to manage the switches/devices but only at this location or the assigned locations. We don't want to give the local admin right to other devices on other sites.
How do i solve this using ISE?
Since there is a limit on device groups this can't be used and this would als mean creating separate access rules for each location.
If somebody could point me in the right direction.
The recommended limit is still 100 NDGs. This is what Cisco has tested and validated. You can add more but may be into unsupported areas if you go up several multiples of the recommended limit.
As far as I know (and unfortunately), having 500 admins like this probably means 500 rules.
You could combine your ISE policy with vty ACL's, so you only allow access from the local site to the router/switch at that site, then you could have one rule, allowing access from just one admin group, where alle the site admins are in. Only if they go to another location, they could login to switches there, but not when they are on their own site.
Thats a good idea except unless the acl creation was scripted and orchestrated it'd probably be more administrative overhead to administer 500 unique ACLs than one big set of policies.
They would probably also need to add the subnets the admins and any network management tools use to the vty acl.
this is an interesting approach. but you would have to create an ACL per location no? And still have the need for different rules. Or you mean implementing the vty acl localy and not assigning it via ISE.
I really don't see an option to have one rule that covers this or doing this without device groups.
HI, why not look at the possibility of zoning the locations with a unique identity and having say around 5-10 (looking at scalability) location per zone.
Then create zone groups and add devices in a zone to each zone group and finally create an AD for the network admin within that zone.
you can be rest assured that only network admin within that zone can have access to the devices in the zone.
Tnx for your input. But can you explain a bit more your approach. What do you mean with zoning the locations with a unique identity?
If I have 500 sepertare locations is still need 500 NDG's and still need a policy rule per location.
u need a geopolitical zone for the locations. you can use zone identities like the state, or district or country, or cardinal zones like west, north, south-west, anything that you use to uniformly identify the location.
so if you use state for example, for state A u might have 10 locations, which might have 10-50 devices in total. same as state B, C till you cover the whole locations.
e.g since you have 500 locations try to create 50 state or zones. meaning, location 1-10 are in state 1, location 11-20 are in state 2 and so on.'
Now create a device root group called state, and subgroups called state 1 - 50 (this will cover your total location if u scale the location in 10s.)
so add all devices within location 1-10 to state 1 group, 11-20 to state 2 group and so on.....(u can use csv template to import)
next create a AD for you network admin based on the state ( 1-50) created. meaning network admin under state 1 AD will access devices in location 1-10.
so your authorization condition will be, if AD:exgroup equal state 1 AND device:state equals state 1..........you can have access. (this is simple but will make u create 50 rules)
or say if AD:exgroup contains device:state (u can have access). this flies in one line.
just try and understand the concept.