Solved: Re: ISE - Policy Set query

Rajiv Mishra · ‎06-29-2020

Hello All

While planning i came across this scenario and just want to cross check with the community.

Hypothetical situation:

If i have two vendor supporting my network devices ( say two vendors X and Y )

X supports security devices say ASA firewalls

Y supports LAN/WAN devices say Switches and ISR routers

They both should not be able to login into each others managed devices.

X should not be able to login with a ssh into ISR

Y should not be able to ssh into ASA

On ISE:

-I define two NDG - Security_Devices and IOS_Devices

-I define two DAG - X_Staff and Y_Staff

Is there a way i can set a authentication policy that blocks X_Staff to authenticate on IOS_Devices ? and vice versa?

As far as i understand, authentication can not be conditioned using "DAG" and I have no way to restrict authentication of X_Staff on IOS devices ? I can limit/deny authorization but not authentication.

Does that sound correct? Anyone can "authenticate" into any device as long as they are part of same identity source ?

thanks in advance

jeaves@cisco.com · ‎07-10-2020

Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.

If it's purely for authentication then have you looked at TACACS?

View solution in original post

jeaves@cisco.com · ‎07-10-2020

Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.

If it's purely for authentication then have you looked at TACACS?

aosorno · ‎07-10-2020

I think what you need is to configure authorization policies you can set permission to enter only the network elements you define.

hslai · ‎07-11-2020

You are correct and both responders Joff and aosomo provided some inputs.

If you need some example, see ISE Device Administration resources for TACACS+ and RADIUS especially ISE Device Administration Prescriptive Deployment Guide