https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122050#M156518 <P>Good afternoon,</P><P></P><P>How would ISE deal with an user that has multiple entries for "memberOf"for group assignment?&nbsp; Would ISE use the 1st MemberOf value it encounter to assign a group?</P><P></P><P>Thanks.</P><P></P><P>Cath.</P> Mon, 11 Mar 2019 02:54:02 GMT cpaquet 2019-03-11T02:54:02Z https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122050#M156518 <P>Good afternoon,</P><P></P><P>How would ISE deal with an user that has multiple entries for "memberOf"for group assignment?&nbsp; Would ISE use the 1st MemberOf value it encounter to assign a group?</P><P></P><P>Thanks.</P><P></P><P>Cath.</P> Mon, 11 Mar 2019 02:54:02 GMT https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122050#M156518 cpaquet 2019-03-11T02:54:02Z https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122051#M156553 <HTML><HEAD></HEAD><BODY><P>Hello Cath-</P><P></P><P>ISE will "read" the groups in the order that you have configured them in your authorization rules. So I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom. For example:</P><P></P><P>IF member of <STRONG>executives </STRONG>then authorization profile <STRONG>executives_users</STRONG></P><P></P><P>IF member of <STRONG>domain users </STRONG>then authorization profile <STRONG>regular_users</STRONG></P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Tue, 18 Dec 2012 04:08:20 GMT https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122051#M156553 nspasov 2012-12-18T04:08:20Z https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122052#M156580 <HTML><HEAD></HEAD><BODY><P>Thanks Neno.</P><P></P><P>Could you please clarify your suggestion "...I would recommend that you place the more specific groups towards the bottom and the most common groups towards the bottom".&nbsp;&nbsp; </P><P></P><P>You mean placing the specific at the top and the generic at the bottom, right?</P><P></P><P>Thank you.</P><P></P><P>Cath.</P></BODY></HTML> Tue, 18 Dec 2012 12:02:34 GMT https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122052#M156580 cpaquet 2012-12-18T12:02:34Z https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122053#M156603 <HTML><HEAD></HEAD><BODY><P>Yes, that was a typo on my end <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> You want generic towards the bottom and specific towards the top. Think of it that way: Everyone is part of "domain users" so everyone would match that rule but not everyone would be a member of the "executives" so you would want the executives group to be above the domain users</P></BODY></HTML> Wed, 19 Dec 2012 00:48:28 GMT https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122053#M156603 nspasov 2012-12-19T00:48:28Z https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122054#M156647 <HTML><HEAD></HEAD><BODY><P>Thank you Neno for all your help.</P><P>Regards,</P><P>cath.</P></BODY></HTML> Wed, 19 Dec 2012 12:38:30 GMT https://community.cisco.com/t5/network-access-control/multiple-quot-memberof-quot/m-p/2122054#M156647 cpaquet 2012-12-19T12:38:30Z