Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ISE - External Identity Source (AD Groups)

Assume there are no groups populated in this bucket (Identity Management-> Active Directory -> Groups) Does ISE just check if the user is in AD and allows them on?  I have clients authenticating that arent part of the single group I added to this bucket.

This is why I ask ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."       

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ISE - External Identity Source (AD Groups)

This should work fine. We select group and use them in authorization rules to restrict access.

On a side note: user should be a part of atleast one group say domain users on AD.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
4 REPLIES
Cisco Employee

ISE - External Identity Source (AD Groups)

This should work fine. We select group and use them in authorization rules to restrict access.

On a side note: user should be a part of atleast one group say domain users on AD.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

ISE - External Identity Source (AD Groups)

Got it .. This explains why users are getting on even though they arent in that group i selected and the policy doesnt call out this specific group ..

Thanks!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

Re: ISE - External Identity Source (AD Groups)

Yes, you understood it right. Let me add little more explanation.

Group reterieval for authorization

You can use the AD group data in the  authorization and group mapping tables and introduce special conditions  to match them against the retrieved groups.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170416

Once you've selected the groups under

Users and Identity Stores > External Identity Stores > Active Directory > directory groups

The same groups will start appearing under below listed screen shot. From there you will see 2 options any / all like or / and condition. Based on user membership the authorization role can be assisgned.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

Re: ISE - External Identity Source (AD Groups)

Let me throw another question at ya ..

I have a device that was wrongly profiled. It was a MAC Book profield as a iDevice. On the end point I can set a static policy assigment or Identity Group Assignement.

What is the difference ? Im thinking if I want this to ALWAYS be a Mac Book I should static it to Identity Group

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
188
Views
0
Helpful
4
Replies
CreatePlease to create content