05-08-2017 12:35 AM
Q1. Max number of Endpoint identity groups we can configure.
customer needs 200 endpoint identity groups.
Q2. Max number of Authorization profiles we can configure.
customer needs 400 Authorization profiles.
Solved! Go to Solution.
05-08-2017 05:32 PM
500 EP ID groups; 600 authz profiles.
05-08-2017 05:32 PM
500 EP ID groups; 600 authz profiles.
05-10-2017 11:25 AM
Additionally, under ISE 2.2 we validated the following specific to auth policy rules...
05-10-2017 05:41 PM
Thank yo so much. your information is really helpful.
08-29-2017 10:27 PM
customer demand us they need over 1000 identity groups.
is there any roadmap to increase the scale?
we need the information o respond RFP.
08-29-2017 10:51 PM
Please contact ISE PM team on roadmap inquiries.
08-30-2017 06:05 AM
The original post was about Auth Policy (Policy Sets, AuthC Rules, AuthZ Rules). Your last request was about Identity Groups. I recommend reassessing the need for so many identity groups. Did you know that ISE 2.1 and above support endpoint custom attributes? You could assign unique values to the custom attribute that can translate into unique group value, and then apply policy based on that. However, you still do not want a policy where you get into "If Group=X" or "If CustomAttr1=X", then permit..., because you would have a rule explosion. It is best to have policy leverage dynamic attributes where the value assignment is based on value assigned to internal or external ID store. Example: Set VLAN or SGT based on value assigned to customer attribute, or to AD/LDAP attribute for given user/endpoint. This way you consolidate many rules into one or few.
/Craig
09-08-2017 12:40 AM
Thank you for your comments.
I would like to know how to set endpoint custom attribute based LDAP attribute for given user/endpoint.
I want to set unique endpoint custom attribute based on LDAP attribute for given user/endpoint.
is it possible using authorization policy rule?
customer wants to handle and assignment 1000VLANs based on LDAP attribute for given user/endpoint.
but Identity Groups's limit is 500 so, I 'm thinking using also custom attributes.
your comments would be really appreciated.
-Customer's authentication/authorization flow,
1.When an endpoint accesses to network first time,
the endpoint's mac address authentication is failed because it is not un-registered
and is authorized by CWA with LDAP user/password.
2.During this time, register the endpoints to Identity Groups and
(want to set custom attributes also but i don't know how to set this) based on LDAP attribute for given user/endpoint
3.Assign VLAN based on LDAP attribute for given user/endpoint
4. on the 2nd network access of the endpoints, the endpoint's mac address authentication is passed
and assign VLAN based on Identity Group and Custom attribute
Thanks
Nana
09-08-2017 05:40 AM
You cannot dynamically assign custom attribute today based on auth result, unless performed some external scripting to perform such update. Such scripting is outside the scope of forum but could be triggered based on RADIUS auth log events.
Note that most cases, the endpoint will continue to Authorization anyway even if not yet learned by ISE, so authorization policy matching ends up being the same.
If already know the VLAN that you want user to be assigned to, then add that as a field in their AD/LDAP record and then configure Authorization Profile to set VLAN dynamically based on the attribute value. In example below, the user record in AD was updated so that the PostalCode attribute had the VLAN number or name for the user. Same applies to LDAP.
/Craig
05-10-2017 05:40 PM
Thank you so much!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: