Solved: ISE Device Admin Policy Set- User based

manvik · ‎05-13-2020

How can below be done for device admin policy set.

Devices

Network Device 1 (ND 1) is under All device Type>DC>ND1

Network Device 2 (ND 2) is under All device Type>DC2>ND2

----- exists untill "All device Type>DC>ND32" and "All device Type>DC2>ND32"

Users

User1 in Group Support

User2 in Group Lead

Policy Sets

First set checks whether Device Type starts with "All device Type>DC2"

Authorization policy check for usergroup support

shell profile, commands are minimum

Second set checks whether Device Type starts with "All device Type"

Authorization policy check for usergroup lead

shell profile, commands are maximum

Issue

In this case, when a user in lead group logsin to DC2>ND2 device it gets authenticated to first policy set. It does not comes to second policy set.

How can we authenticate and authorize it to second set.

Damien Miller · ‎05-13-2020

You may have an error in the logic as it pertains to "device type > all device types" if you have this set to equals in the policy set.

If you say "device type equals all device types", this won't match a device that is located in "All device Type>DC2>ND2" because it's not an exact match. If you switch the logic to "contains" or "starts with", you will match any device nested under all device types.

View solution in original post

Damien Miller · ‎05-13-2020

You may have an error in the logic as it pertains to "device type > all device types" if you have this set to equals in the policy set.

If you say "device type equals all device types", this won't match a device that is located in "All device Type>DC2>ND2" because it's not an exact match. If you switch the logic to "contains" or "starts with", you will match any device nested under all device types.