Administrative Rights Partitions

andrewsigna · ‎02-01-2016

Hi!

Would like to have a single user have full control of administrative rights for the ISE server and then have another category where someone else has limited ability to enforce policy for sponsoring, new-user onboarding and whitelisting. The criteria is that I would like that this limited user is based GEOGRAPHICALLY in one location, meaning that the limited-administrator can ONLY accomplish these tasks in his own location/LAN.

What would be an optimal way to complete this task?

thanks in advance!

jj27 · ‎02-01-2016

Hi Andrew,

Would the full and limited users be local to ISE or part of Active Directory? If Active Directory, you're going to need to create some security groups and place user accounts into them for each classification. That is the route I would recommend going.

You will need to create a Menu Access and Data access policy for the limited use case and give access to the appropriate sections you referenced.

Once that is done, you need to go to your External Identity Source for AD and make sure those new groups are selected to be used with ISE. Then, go to Administration->Admin Access->Administrators->Admin Groups and create Admin groups in ISE, type External, and reference the AD groups you created for full and limited access.

Head over to Administration->Admin Access->Authorization->Permissions->Policy and duplicate the Super Admin policy. Link that to your newly created AD-enabled full admin group. Next, create your limited policy, reference the permissions you created and the AD-enabled limited admin group.

Finally, to restrict admin access from certain LAN subnets, go to Administration->Admin Access->Settings->Access, click on IP Access tab and enter in all of the LAN subnets you want to be able to connect to and manage ISE keeping in mind you need to put in all of the LAN subnets you are currently using to access it as it is today with no restrictions.

Hope this helps.