Consider the existing situation: an ISE cluster is operating in a central site, supporting remote sites. Each site has its own WLC and accesses the internet by DIA. Each site also has MPLS links back to the core site. Each site supports  Guests (Splash Screen) and IEEE802.1x corp clients.

The sites are to be separated from the core and to be made (semi)independant. The obvious thing to do would be to spin up a small (VM) ISE pair on each site (Let's also assume the sites each have their own AD domain, possibly part of a large "all-site" forest, so we would need to split the domains off the forest and run them locally too). That would serve the users OK, and would not be impacted by the ISE's lack of multi-tenant administration, because each site would have its own single-site ISE

However, is there a way of staying with the existing ISE cluster? (for resons of budget and speed of migration)

Can I (with vers 2.7) build different admins, for each site, each with write access only to their own configurations? I could probably build policies that will support different site user populations, with Authentication based upon MAB or IEEE802.1x and authorisation based upon Called Station ID or Internal User Identity, Groups, but there are fundamental security issues there: The Admin users would be able to see everyone's setup, even if they were only able to change their own (is that right?), but worse, anyone from any site would be authenticated (so able to log in) but only have their abilities controlled by authorisation restriction (so not be able to do anything outside their own security area/site, despite being logged on).

Has anyone ever tried anything like this? Have you any pointers? I think I'm going to push for site-local ISEs because of the security issues, but can anyone suggest a better way?

Thanks

Jim