Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
2
Replies

How to setup authorization policy for site 1 and site 2

Go to solution
Rich Yim
Cisco Employee
Cisco Employee

‎09-02-2020 05:55 AM

I am setting up a SDA Demo using DNAC 1.3.3.7 and ISE 2.7 patch 1. I will have VN and IP Pool as below

 

Site IP Pool VN ISE VLAN tag ID/Name
1 172.168.1.0/24 Employee1 172_168_1_0-EMPLOYEE1
2 10.1.1.0/24 Employee2 10_1_1_0-EMPLOYEE2

 

 

In ISE, I will setup authorization policy like below:

 

ISE - Authorization Policy.jpg

I want to modify this policy to two policies. One for site 1 and other one for site 2. My question is, I don't know how to modify the condition to match site 1 and site 2?

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aleksandr Serov
Level 1
Level 1

‎09-02-2020 06:31 AM

Hello

You may group devices on each site and apply appropriate policy on specific group

View solution in original post

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-02-2020 07:10 AM

You have a few options.  You could create two separate global radius policies and then rely on the normalised radius flow type (8021x), and the condition 'DEVICETYPE'.  Utilizing DEVICETYPE you could group NADs to their respective areas, and build out the policies this way.  However, this may interfere with a main benefit of SDA, the mobility aspect.  I think a better option is to breakout your authz policies.  Is it possible to integrate with two separate AD points, and then utilize the ExternalGroups condition?  If not, for demo purposes why not just create two separate local ISE identity groups and reference each one individually and push policy for each respective site.  This would be the quick way to do it IMO.  Lastly, as another option you could focus on device profiling.  In this scenario identify unique attributes ISE has gathered from the NAD sensors, and push policy based on profiled identity groups.  The trick here is determining which attribute/s sets site1 and site2 a part from each other.  HTH!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Aleksandr Serov
Level 1
Level 1

‎09-02-2020 06:31 AM

Hello

You may group devices on each site and apply appropriate policy on specific group

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-02-2020 07:10 AM

You have a few options.  You could create two separate global radius policies and then rely on the normalised radius flow type (8021x), and the condition 'DEVICETYPE'.  Utilizing DEVICETYPE you could group NADs to their respective areas, and build out the policies this way.  However, this may interfere with a main benefit of SDA, the mobility aspect.  I think a better option is to breakout your authz policies.  Is it possible to integrate with two separate AD points, and then utilize the ExternalGroups condition?  If not, for demo purposes why not just create two separate local ISE identity groups and reference each one individually and push policy for each respective site.  This would be the quick way to do it IMO.  Lastly, as another option you could focus on device profiling.  In this scenario identify unique attributes ISE has gathered from the NAD sensors, and push policy based on profiled identity groups.  The trick here is determining which attribute/s sets site1 and site2 a part from each other.  HTH!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents