Additionally, under ISE 2.2 we validated the following specific to auth policy rules...

Thank yo so much. your information is really helpful.

customer demand us they need over 1000 identity groups.

is there any roadmap to increase the scale?

we need the information o respond RFP.

Please contact ISE PM team on roadmap inquiries.

The original post was about Auth Policy (Policy Sets, AuthC Rules, AuthZ Rules).  Your last request was about Identity Groups.   I recommend reassessing the need for so many identity groups.  Did you know that ISE 2.1 and above support endpoint custom attributes?  You could assign unique values to the custom attribute that can translate into unique group value, and then apply policy based on that.  However, you still do not want a policy where you get into "If Group=X" or "If CustomAttr1=X", then permit..., because you would have a rule explosion.  It is best to have policy leverage dynamic attributes where the value assignment is based on value assigned to internal or external ID store.  Example:  Set VLAN or SGT based on value assigned to customer attribute, or to AD/LDAP attribute for given user/endpoint.  This way you consolidate many rules into one or few.

/Craig

Thank you for your comments.

I would like to know how to set endpoint custom attribute based LDAP attribute for given user/endpoint.

I want to set unique endpoint custom attribute based on LDAP attribute for given user/endpoint.

is it possible using authorization policy rule?

customer wants to handle and assignment 1000VLANs based on LDAP attribute for given user/endpoint.

but Identity Groups's limit is 500 so, I 'm thinking using also custom attributes.

your comments would be really appreciated.

-Customer's authentication/authorization flow,

1.When an endpoint accesses to network first time,

the endpoint's mac address authentication is failed because it is not un-registered

and is authorized by CWA with LDAP user/password.

2.During this time, register the endpoints to Identity Groups and

(want to set custom attributes also but i don't know how to set this) based on LDAP attribute for given user/endpoint

3.Assign VLAN based on LDAP attribute for given user/endpoint

4. on the 2nd network access of the endpoints, the endpoint's mac address authentication is passed

and assign VLAN based on Identity Group and Custom attribute

Thanks

Nana

You cannot dynamically assign custom attribute today based on auth result, unless performed some external scripting to perform such update.  Such scripting is outside the scope of forum but could be triggered based on RADIUS auth log events.

Note that most cases, the endpoint will continue to Authorization anyway even if not yet learned by ISE, so authorization policy matching ends up being the same.

If already know the VLAN that you want user to be assigned to, then add that as a field in their AD/LDAP record and then configure Authorization Profile to set VLAN dynamically based on the attribute value.  In example below, the user record in AD was updated so that the PostalCode attribute had the VLAN number or name for the user.  Same applies to LDAP.

/Craig

Thank you so much!