Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
0
Helpful
2
Replies

ISE 3.0, ISE network device groups hierarchy

Go to solution
SMD28316
Level 1
Level 1

‎08-04-2022 10:06 PM - edited ‎08-04-2022 10:25 PM

I use network device groups to manage my policy sets for RADIUS and TACACS, The following hierarchy is what I am trying to implement:

Managed by TACACS group:

  • WLCs
    • 5520
    • 9800
  • Firewalls
    • ASA
    • FDT
    • FMC
  • Switches
    • catalyst
    • Nexus
  • Routers
    • IRS

RADIUS authentication group:

  • Wireless 
    • BYOD
    • POSTURE
    • GUEST
  • Wired
    • POSTURE
    • GUEST ACCESS
    • DOTIX
    • MAB
  • VPN

What I noticed is that I can't have a network device in two or more groups, for example I want to be able to manage my WLC with TACACS+, also I want to use it for GUEST and BYOD, if I add it to the group (RADIUS authentication group >> Wireless >> Guest) users will be able to access the guest network, but the WLC will not be managed by TACACS+

Is this by design in ISE? also, I noticed that I can't use the group (RADIUS authentication group >> Wireless ) and tat I need to specify the latest device group in the tree, is inheritance not working in ISE network devices?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-04-2022 10:41 PM

You can create custom groups for network devices to create multiple trees like this and have a device in more than the two default groups (device type + location) at once. 

If you want to use the group "Wireless" in a policy, you could use the "contains" logic, but it won't work to map a middle group as "equals" since that requires an exact match. 

Example for device type with multiple logic variations. 
devicetype#WLCs#9800 - you can match this with equals "devicetype#WLCs#9800", ends with "WLCs#9800", or contains "WLCs"

View solution in original post

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-15-2022 01:23 PM

You absolutely can assign multiple network device groups per network device:

image.png


image.png

Please see our ISE Webinar ▶ Managing Network Devices in ISE where I explain how to create and assign network device groups.
31:46 Network Device Groups (NDGs)
34:12 CSV Export & Import of NDGs and Network Devices

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-04-2022 10:41 PM

You can create custom groups for network devices to create multiple trees like this and have a device in more than the two default groups (device type + location) at once. 

If you want to use the group "Wireless" in a policy, you could use the "contains" logic, but it won't work to map a middle group as "equals" since that requires an exact match. 

Example for device type with multiple logic variations. 
devicetype#WLCs#9800 - you can match this with equals "devicetype#WLCs#9800", ends with "WLCs#9800", or contains "WLCs"

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-15-2022 01:23 PM

You absolutely can assign multiple network device groups per network device:

image.png


image.png

Please see our ISE Webinar ▶ Managing Network Devices in ISE where I explain how to create and assign network device groups.
31:46 Network Device Groups (NDGs)
34:12 CSV Export & Import of NDGs and Network Devices

0 Helpful
Customers Also Viewed These Support Documents