Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
0
Helpful
2
Replies

Time Bound Elevated Permission to Network Access User in ISE

Go to solution
VipulAgr
Level 1
Level 1

‎11-30-2020 09:58 AM

Hi Folks,

I am looking for a way to assign Identity group to users which is time bound, use-case is to assign elevated permission temporarily to a user who has standard access for Device administration in ISE.

For this I am thinking to assign user to an Identity group which provide standard access to Network devices and add him to more privileged Identity group only when it's needed for certain interval, It can be done by manually adding the identity group to user and detach when it's not needed..but is there any way to detach the identity group automatically after certain time period to avoid any slip in this manual effort ? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-01-2020 05:23 AM

AFAIK you will have to accomplish this manually.  To me that sounds like it could be quite the process.  Have you considered looking into utilizing APIs?  Specifically the Network Device API:  Network Device API allows the client to add, delete, update, and search Network Devices.  You could write a script that only allows the certain users you wish to accomplish the task, and then take away their ability to run/execute the script that consumes the API.  HTH!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-01-2020 05:23 AM

AFAIK you will have to accomplish this manually.  To me that sounds like it could be quite the process.  Have you considered looking into utilizing APIs?  Specifically the Network Device API:  Network Device API allows the client to add, delete, update, and search Network Devices.  You could write a script that only allows the certain users you wish to accomplish the task, and then take away their ability to run/execute the script that consumes the API.  HTH!

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-15-2020 11:39 AM

Mike's suggestion is good, as always.

See ISE ERS API Examples > Create an Endpoint with Custom Attributes for how you can do this.

Otherwise, there are no attributes in ISE to block authentication/authorization after an absolute time (e.g. December 31, 2020 @ 11:59:59 UTC).

By attach and detach I assume you mean authentication and expiration since that is the method of privilege/enablement we have to work with. You may do this in ISE with an authorization profile that only allows access for a specific amount of [session] time (600 seconds == 10 minutes for example).

image.png

 

 

0 Helpful
Customers Also Viewed These Support Documents