Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
2
Replies

ISE Distributed - PSNs associated to Specific RSA Servers

Go to solution
Samuel Vuillaume
Cisco Employee
Cisco Employee

‎04-17-2018 02:36 PM

Hey guys

Quick question.

I have been reading about this but I would like to get confirmation as it gets quite confusing lol

Anyway, my client has an ISE distributed env based on Dedicated PAN, Mnt and PSNs

They will be using many RSA servers as external identity sources.

Because of the distribution of the PSNs group of network devices (NAD group)   will be using specific PSNs and other group of NADs other  PSNs. 

Question:

—————

For specific groups of devices (NAD grouped per location for example) can they use a specific RSA server? As

PSN1—RSA1 primary

           |___RSA2 sec

PSN2—RSA2 primary

          |___RSA1 sec

This seems possible using rule based authentication policies in ISE.

However although it seems to be based on specific ISE  attributes only part of the ISE dictionary 

It seems we can group PSN together as a mode group.

So in this case I can def configure each NAD to point to specific “node group” then using rule based authentications asking these Node groups (based on device IP or device network group or location) to use a specific RSA servers.

If you could chime in I would appreciate.

Thank you

image1.jpeg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-24-2018 08:17 PM

Paul is correct that PSN node groups are not available as authentication policy conditions and they are more for ISE profiling replications.

If you meant network devices in the same network device groups use the same sets of PSNs, then you may use the network device grouping as the authentication policy conditions.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paul
Advocate
Advocate

‎04-18-2018 09:49 AM

I don't think you can use node groups in Auth criteria, but just use the PSN hostname attribute:

Capture.JPG

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-24-2018 08:17 PM

Paul is correct that PSN node groups are not available as authentication policy conditions and they are more for ISE profiling replications.

If you meant network devices in the same network device groups use the same sets of PSNs, then you may use the network device grouping as the authentication policy conditions.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents