cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1262
Views
0
Helpful
3
Replies
Highlighted
Beginner

ISE - Policy Set query

Hello All

 

While planning i came across this scenario and just want to cross check with the community.

Hypothetical situation:

 

If i have two vendor supporting my network devices ( say two vendors X and Y )

X supports security devices say ASA firewalls

Y supports LAN/WAN devices say Switches and ISR routers

They both should not be able to login into each others managed devices.

X should not be able to login with a ssh into ISR

Y should not be able to ssh into ASA

 

On ISE:

-I define two NDG - Security_Devices and IOS_Devices

-I define two DAG - X_Staff and Y_Staff

 

Is there a way i can set a authentication policy that blocks X_Staff to authenticate on IOS_Devices ? and vice versa?

 

As far as i understand, authentication  can not be conditioned using "DAG" and I have no way to restrict authentication of X_Staff on IOS devices ? I can limit/deny authorization but not authentication.

 

Does that sound correct? Anyone can "authenticate" into any device as long as they are part of same identity source ?

 

thanks in advance 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.

If it's purely for authentication then have you looked at TACACS?

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.

If it's purely for authentication then have you looked at TACACS?

View solution in original post

Highlighted
Beginner

I think what you need is to configure authorization policies you can set permission to enter only the network elements you define.

Highlighted
Cisco Employee

You are correct and both responders Joff and aosomo provided some inputs.

If you need some example, see ISE Device Administration resources for TACACS+ and RADIUS especially ISE Device Administration Prescriptive Deployment Guide

Content for Community-Ad