06-27-2018 12:25 AM
Hi team,
I am supporting our End-user on the requested feature below:
For example, Branch A only can do AAA/COA policies with the devices or add new devices which belongs to Branch A and can not do with the devices belongs to Branch B.
It is something like separate multi-domains on ISE.
If support, kindly help to share us the detailed configuration.
If not, pls help to propose any workaround solutions.
Highly appreciate for any quick support. Thanks in advance.
Br,
hainm
06-27-2018 12:51 AM
Yes it support it , you must add devices to ISE just in different location .
Devices in Branch A locate in Device group BRANCH A
Device in Branch B locate in branch B
Base on this locations you can create policy for them
like
Device type eq switch and device location in branch A
Than create authorization policy for them
This will instruct all devices try to connect switch from branch A will receive authorization policy for this location.
06-27-2018 01:07 AM
Hi bro,
Many thanks for your response. Correct me if i am wrong with some detailed steps below:
- using ISE to scan all the devices inside the HO and branches.
- Group all the scanned devices into separate groups
- create different locations: Branch A, Branch B....
- Bind device group to specific Branch Location.
- Create policy base on specific location.
One more question: can ISE support to create admin user for Branch A so that this admin only can add the devices belong to Branch A?
Thanks in advance.
Br,
hainm
06-27-2018 01:10 AM
Hi bro,
Many thanks for your response. Correct me if i am wrong with some detailed steps below:
- using ISE to scan all the devices inside the HO and branches.
- Group all the scanned devices into separate groups
- create different locations: Branch A, Branch B....
- Bind device group to specific Branch Location.
- Create policy base on specific location.
One more question: can ISE support to create admin user for Branch A so that this admin only can add the devices belong to Branch A?
Thanks in advance.
Best regards,
.:|:.:|:. Hai Nguyen
Systems Engineer | Cisco Systems Vietnam
Desk: +84 24 3974 6248 | Mobile: +84 904 373 746 | hanguye3@cisco.com<mailto:hanguye3@cisco.com>
06-27-2018 01:28 AM
Hi again
I speak about network device not the endpoints
Add network devices in different location respective office
All endpoint associated to this network device you ca create policy based on location and device type like :
switch ,router,WLC and etc
For the question
Yes it is possible but i am not test this .And what kind of user for device administration like tacacs or something else
06-27-2018 01:31 AM
Hi bro,
so can ISE support to create admin user for Branch A so that this admin only can add the devices belong to Branch A?
Br,
hainm
06-29-2018 04:11 PM
There is some support.
Please check out the workaround for CSCvb55884. TAC has an internal doc detailing how it is done.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide