This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello All
While planning i came across this scenario and just want to cross check with the community.
Hypothetical situation:
If i have two vendor supporting my network devices ( say two vendors X and Y )
X supports security devices say ASA firewalls
Y supports LAN/WAN devices say Switches and ISR routers
They both should not be able to login into each others managed devices.
X should not be able to login with a ssh into ISR
Y should not be able to ssh into ASA
On ISE:
-I define two NDG - Security_Devices and IOS_Devices
-I define two DAG - X_Staff and Y_Staff
Is there a way i can set a authentication policy that blocks X_Staff to authenticate on IOS_Devices ? and vice versa?
As far as i understand, authentication can not be conditioned using "DAG" and I have no way to restrict authentication of X_Staff on IOS devices ? I can limit/deny authorization but not authentication.
Does that sound correct? Anyone can "authenticate" into any device as long as they are part of same identity source ?
thanks in advance
Solved! Go to Solution.
Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.
If it's purely for authentication then have you looked at TACACS?
Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.
If it's purely for authentication then have you looked at TACACS?
I think what you need is to configure authorization policies you can set permission to enter only the network elements you define.
You are correct and both responders Joff and aosomo provided some inputs.
If you need some example, see ISE Device Administration resources for TACACS+ and RADIUS especially ISE Device Administration Prescriptive Deployment Guide