cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1646
Views
0
Helpful
2
Replies

ISE 3.0, ISE network device groups hierarchy

SMD28316
Level 1
Level 1

I use network device groups to manage my policy sets for RADIUS and TACACS, The following hierarchy is what I am trying to implement:

Managed by TACACS group:

  • WLCs
    • 5520
    • 9800
  • Firewalls
    • ASA
    • FDT
    • FMC
  • Switches
    • catalyst
    • Nexus
  • Routers
    • IRS

RADIUS authentication group:

  • Wireless 
    • BYOD
    • POSTURE
    • GUEST
  • Wired
    • POSTURE
    • GUEST ACCESS
    • DOTIX
    • MAB
  • VPN

What I noticed is that I can't have a network device in two or more groups, for example I want to be able to manage my WLC with TACACS+, also I want to use it for GUEST and BYOD, if I add it to the group (RADIUS authentication group >> Wireless >> Guest) users will be able to access the guest network, but the WLC will not be managed by TACACS+

Is this by design in ISE? also, I noticed that I can't use the group (RADIUS authentication group >> Wireless ) and tat I need to specify the latest device group in the tree, is inheritance not working in ISE network devices?

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

You can create custom groups for network devices to create multiple trees like this and have a device in more than the two default groups (device type + location) at once. 

If you want to use the group "Wireless" in a policy, you could use the "contains" logic, but it won't work to map a middle group as "equals" since that requires an exact match. 

Example for device type with multiple logic variations. 
devicetype#WLCs#9800 - you can match this with equals "devicetype#WLCs#9800", ends with "WLCs#9800", or contains "WLCs"

View solution in original post

thomas
Cisco Employee
Cisco Employee

You absolutely can assign multiple network device groups per network device:

image.png


image.png

Please see our ISE Webinar ▶ Managing Network Devices in ISE where I explain how to create and assign network device groups.
31:46 Network Device Groups (NDGs)
34:12 CSV Export & Import of NDGs and Network Devices

View solution in original post

2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

You can create custom groups for network devices to create multiple trees like this and have a device in more than the two default groups (device type + location) at once. 

If you want to use the group "Wireless" in a policy, you could use the "contains" logic, but it won't work to map a middle group as "equals" since that requires an exact match. 

Example for device type with multiple logic variations. 
devicetype#WLCs#9800 - you can match this with equals "devicetype#WLCs#9800", ends with "WLCs#9800", or contains "WLCs"

thomas
Cisco Employee
Cisco Employee

You absolutely can assign multiple network device groups per network device:

image.png


image.png

Please see our ISE Webinar ▶ Managing Network Devices in ISE where I explain how to create and assign network device groups.
31:46 Network Device Groups (NDGs)
34:12 CSV Export & Import of NDGs and Network Devices