You need to add another condition to you current authorization policy which looks for the AD:ExternalGroup and set that equal to your OU in AD. Click the plus button in the current policy to add another conidition to this policy.
Your are refering to the authorization policy whereas I do not ( i am talking about the authentication ) , the moment i get the prompt of the switch for username+pass and i am using a correct domain user i will be granted access , the authorization policy doesnt come in effect here , am I wrong ?
At this specific case i am not trying to authorize the user to a specific network vlan or envirounment but to only control the users allowed to admin the switch .
That is correct, you can not limit authentication to a specific group of users, only the database they reside in. It is up to the authorization policy then to find what group they are a member of and then give the configured access.
Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?
Do not worry about the condition on the left since those are for the internal endpoint and user database. you will use the original policy you pasted but click the and combine it with the AD external group so that when both conditions succeed you will then get the result you referenced in the policy.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...