Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ISE: How to match an endpoint belong to an identity group ?

Hello,

I am running Cisco ISE 1.1.4.218 in a standalone environment.

I am trying to setup Compound Condition for Authorization.

I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.

I created 1 endpoint identity group and 2 children groups

- GroupParent

     - ChildA

     - ChildB

I put the MAC address of my machine in the group ChildA.

In my condition, I tried the following:

IdentityGroup:Name, Equals, ChildA

IdentityGroup:Name, Equals, GroupParent:ChildA

IdentityGroup:Name, Match, .*(ChildA).*

I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:

IdentityGroupName, Equals, GroupParent

IdentityGroupName, Match, .*(GroupParent).*

But no one of these options worked.

I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.

Can anyone help me ?

Best regards,

David

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Cisco ISE: How to match an endpoint belong to an identity gr

using internal identity group match may not work...

If you want to do this, can you try to choose it directly from the first part of authz rule( to choose identity) instead od using a match condition?

Sent from Cisco Technical Support iPad App

7 REPLIES

Cisco ISE: How to match an endpoint belong to an identity group

You could try the following to match only the parent group

IdentityGroup:Name EQUALS GroupParent

You could try the following to match only child group A

IdentityGroup:Name EQUALS GroupParent#ChildA

You could try the following to match all child groups of GroupParent

IdentityGroup:Name STARTS_WITH GroupParent

Please rate if this helps

Cisco ISE: How to match an endpoint belong to an identity group

New Member

Cisco ISE: How to match an endpoint belong to an identity group

Hello,

I tried all solutions mentioned above, no one works.

I repeat that I am almost sure that it worked in ISE 1.1.1 but it does not work in 1.1.4.

Many thanks for your help.

David

New Member

Cisco ISE: How to match an endpoint belong to an identity group

Is it possible to create a parent group within Endpoint Identity Groups?

Bronze

Re: Cisco ISE: How to match an endpoint belong to an identity gr

using internal identity group match may not work...

If you want to do this, can you try to choose it directly from the first part of authz rule( to choose identity) instead od using a match condition?

Sent from Cisco Technical Support iPad App

New Member

Re: Cisco ISE: How to match an endpoint belong to an identity gr

Many thanks Shaoqin, this helped me to make it work !

New Member

Re: Cisco ISE: How to match an endpoint belong to an identity gr

I've tried "IdentityGroup:Name" a bunch of ways and it doesn't work... Seems to only work when you use the Identity Group as "IF" for the first option in the rule.

 

I'm mostly just confirming what Shaoqin Li  said above, I spent an hour trying a bunch of iterations with no luck. 

 

Screen Shot 2017-11-07 at 12.16.56 PM.png

1683
Views
5
Helpful
7
Replies
CreatePlease to create content