Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7665
Views
5
Helpful
7
Replies

Cisco ISE: How to match an endpoint belong to an identity group ?

Go to solution
david_mayor
Level 1
Level 1

‎07-09-2013 06:09 AM - edited ‎03-10-2019 08:37 PM

Hello,

I am running Cisco ISE 1.1.4.218 in a standalone environment.

I am trying to setup Compound Condition for Authorization.

I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.

I created 1 endpoint identity group and 2 children groups

- GroupParent

     - ChildA

     - ChildB

I put the MAC address of my machine in the group ChildA.

In my condition, I tried the following:

IdentityGroup:Name, Equals, ChildA

IdentityGroup:Name, Equals, GroupParent:ChildA

IdentityGroup:Name, Match, .*(ChildA).*

I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:

IdentityGroupName, Equals, GroupParent

IdentityGroupName, Match, .*(GroupParent).*

But no one of these options worked.

I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.

Can anyone help me ?

Best regards,

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shaoqin Li
Level 3
Level 3

‎07-10-2013 09:06 AM

using internal identity group match may not work...

If you want to do this, can you try to choose it directly from the first part of authz rule( to choose identity) instead od using a match condition?

Sent from Cisco Technical Support iPad App

View solution in original post

7 Replies 7

Go to solution
Eduardo Aliaga
Level 4
Level 4

‎07-09-2013 06:34 PM

You could try the following to match only the parent group

IdentityGroup:Name EQUALS GroupParent

You could try the following to match only child group A

IdentityGroup:Name EQUALS GroupParent#ChildA

You could try the following to match all child groups of GroupParent

IdentityGroup:Name STARTS_WITH GroupParent

Please rate if this helps

0 Helpful

Go to solution
david_mayor
Level 1
Level 1
In response to Eduardo Aliaga

‎07-10-2013 02:08 AM

Hello,

I tried all solutions mentioned above, no one works.

I repeat that I am almost sure that it worked in ISE 1.1.1 but it does not work in 1.1.4.

Many thanks for your help.

David

0 Helpful

Go to solution
JHILL2
Level 1
Level 1
In response to Eduardo Aliaga

‎11-07-2013 03:10 PM

Is it possible to create a parent group within Endpoint Identity Groups?

0 Helpful

Go to solution
Shaoqin Li
Level 3
Level 3

‎07-10-2013 09:06 AM

using internal identity group match may not work...

If you want to do this, can you try to choose it directly from the first part of authz rule( to choose identity) instead od using a match condition?

Sent from Cisco Technical Support iPad App

Go to solution
david_mayor
Level 1
Level 1
In response to Shaoqin Li

‎07-16-2013 01:24 AM

Many thanks Shaoqin, this helped me to make it work !

0 Helpful

Go to solution
Richard Wakefield
Level 1
Level 1
In response to Shaoqin Li

‎11-07-2017 11:19 AM

I've tried "IdentityGroup:Name" a bunch of ways and it doesn't work... Seems to only work when you use the Identity Group as "IF" for the first option in the rule.

 

I'm mostly just confirming what Shaoqin Li  said above, I spent an hour trying a bunch of iterations with no luck. 

 

Screen Shot 2017-11-07 at 12.16.56 PM.png

0 Helpful
Customers Also Viewed These Support Documents