Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
2
Replies

ISE Admin Restrictions for RADIUS Logs

Go to solution
mmshg1234
Level 1
Level 1

‎03-01-2019 04:25 AM

Hi ISE Community,

 

An international customer of ours is using ISE for all their WiFi authentication. Currently, they are managing the worldwide deployment with a central team. They want to spread the workload by giving local admins in different countries (minimum read-only) access to ISE to be able to troubleshoot WiFi issues.

 

However, for privacy reasons, they do have the requirement that regional admins should only be able to see RADIUS logs for their own region, not globally. Naively, I assumed restricting "Data Access" within the Admin Authorization config would also restrict the admin to see only logs (especially RADIUS Live Logs / Live Sessions) generated by network devices in their region. When trying it out, I noted that this setting really only restricts configuration of Network Devices and their group assignments, the logs themselves are not filtered.

 

Is there anything in the ISE roadmap or in the latest versions (we're currently on 2.3) to address this? Does anyone have any suggestions how to address the requirement at this point?

 

Best regards,

Matthias

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-01-2019 04:55 AM

Hi @mmshg1234 

 

You're thinking of something like Cisco Prime Infrastructure's virtual domains which allows regional assignment of devices etc. - ISE doesn't have anything like this.  The RBAC functionality is pretty good for restricting the menu structures. But I have had little joy with the data restrictions, since they pertain to the access mode (read/write, read-only, none) rather than having any scope mechanism.

I would recommend putting a feature request in here

https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A7707FD7A6

 

cheers

Arne

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎03-01-2019 04:55 AM

Hi @mmshg1234 

 

You're thinking of something like Cisco Prime Infrastructure's virtual domains which allows regional assignment of devices etc. - ISE doesn't have anything like this.  The RBAC functionality is pretty good for restricting the menu structures. But I have had little joy with the data restrictions, since they pertain to the access mode (read/write, read-only, none) rather than having any scope mechanism.

I would recommend putting a feature request in here

https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A7707FD7A6

 

cheers

Arne

0 Helpful

Go to solution
mmshg1234
Level 1
Level 1
In response to Arne Bier

‎04-08-2019 01:57 AM

Hi Arne,

 

sorry for my late reply and thank you for the quick and helpful answer. Even if it's not the one I was hoping for :/

 

Will certainly put in the feature request..

0 Helpful
Customers Also Viewed These Support Documents