06-29-2020 06:29 PM - edited 06-29-2020 06:31 PM
Hello All
While planning i came across this scenario and just want to cross check with the community.
Hypothetical situation:
If i have two vendor supporting my network devices ( say two vendors X and Y )
X supports security devices say ASA firewalls
Y supports LAN/WAN devices say Switches and ISR routers
They both should not be able to login into each others managed devices.
X should not be able to login with a ssh into ISR
Y should not be able to ssh into ASA
On ISE:
-I define two NDG - Security_Devices and IOS_Devices
-I define two DAG - X_Staff and Y_Staff
Is there a way i can set a authentication policy that blocks X_Staff to authenticate on IOS_Devices ? and vice versa?
As far as i understand, authentication can not be conditioned using "DAG" and I have no way to restrict authentication of X_Staff on IOS devices ? I can limit/deny authorization but not authentication.
Does that sound correct? Anyone can "authenticate" into any device as long as they are part of same identity source ?
thanks in advance
Solved! Go to Solution.
07-10-2020 07:38 AM
Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.
If it's purely for authentication then have you looked at TACACS?
07-10-2020 07:38 AM
Sounds like a perfect use-case for using SGTs. Define groups for Vendors and groups for different access devices. Set enforcement as necessary.
If it's purely for authentication then have you looked at TACACS?
07-10-2020 12:00 PM
I think what you need is to configure authorization policies you can set permission to enter only the network elements you define.
07-11-2020 11:19 AM
You are correct and both responders Joff and aosomo provided some inputs.
If you need some example, see ISE Device Administration resources for TACACS+ and RADIUS especially ISE Device Administration Prescriptive Deployment Guide
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: