Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1951
Views
0
Helpful
1
Replies

ISE How to set User account restriction to certain network devices

doladimeji
Level 1
Level 1

‎10-10-2023 03:46 AM

Hello All,

Please i would like to know if i can work out setting a user account sourced from Active directory (External Identity Sources)  in ISE and narrow users access probably from Menu/data access to gain access only to certain devices on a site.

Would i need to create a sperate group in AD and then link with a new Admin group in ISE, and then give permissions Menu/data access to users? however i can't work out how to narrow it to devices.

Any suggestion is welcomed. 

Thank you.

Labels:
0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎10-12-2023 08:02 AM

To restrict user access to specific devices on a site in ISE sourced from Active Directory, you can use the authorization policies in Cisco ISE. Here is a general overview of the steps involved:

1. **Configure Active Directory User Groups**: In Cisco ISE, you need to configure Active Directory user groups that represent the different levels of access you want to assign to users. These groups can be based on attributes or roles defined in Active Directory.

2. **Create an Authorization Policy**: In Cisco ISE, create an authorization policy that defines the conditions under which users are granted access to certain devices. This policy should include rules that match the user's group membership or other attributes, and specify the actions to be taken for different scenarios.

3. **Test the Authorization Policy**: Use the Test User tool in Cisco ISE to verify that the authorization policy is working as expected. This tool allows you to simulate user authentication and check if the policy is correctly applied based on the user's attributes or group membership.

4. **Apply the Authorization Policy to the Site**: Once the authorization policy is tested and verified, apply it to the specific site or network segment where you want to restrict user access to certain devices. This can be done by assigning the policy to the appropriate network devices or VLANs.

Here is an example of an authorization policy rule that restricts access to a specific device for users in a certain Active Directory group:

- Rule name: Restrict Device Access
- Conditions:
- Active Directory Group: "Restricted Access Group"
- Permissions:
- Deny Access: Device: "Specific Device"

In this example, users who belong to the "Restricted Access Group" in Active Directory will be denied access to the specified device.

Please note: The exact steps and configuration options may vary depending on the version of Cisco ISE and your specific network setup. It is recommended to consult the Cisco ISE documentation and seek assistance from Cisco support for detailed guidance tailored to your environment.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card