https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003379#M255396 <HTML><HEAD></HEAD><BODY><P>Thank you for the quick replys , and now&nbsp; ok , I've configured the following authorization policy :</P><P>Rule Name : Nad Auth</P><P>Conditions</P><P>if: Any</P><P>AND : AD1:ExternalGroups EQUALS IT_Departments</P><P>Permissions , then PermitAccess</P><P></P><P>What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same <SPAN style="text-decoration: underline;">device group</SPAN> a choose before .</P><P>How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?</P></BODY></HTML> Fri, 13 Jul 2012 14:03:05 GMT vvvnnnzzz 2012-07-13T14:03:05Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003375#M255330 <P>Hi ,</P><P>I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy</P><P>for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .</P><P>While testing the login access to the switches we've come up with 2 results :</P><P>1.A domain user can indeed login to the switch as intended.</P><P>2.Every domain user which exists in the AD indentity source can login , this is an undesired result .</P><P></P><P>So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou</P><P>of the IT_department only .</P><P>I haven't been successfull , would appreciate any ideas on how to accomplish this .</P><P></P><P></P><P>Switch configurations :</P><P>=================</P><P>aaa new-model</P><P>!</P><P>aaa authentication login default group radius local</P><P>!</P><P> ISE Authentication policy</P><P>==================</P><P>!</P><P>Policy Name : NADs Authentication</P><P>Condition:&nbsp; "DEVICE:Device Type Equals :All Device Types#Wired"</P><P>Allowed Protocol : Default Network Access</P><P>use identity source : AD1</P><P>!</P> Mon, 11 Mar 2019 02:17:57 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003375#M255330 vvvnnnzzz 2019-03-11T02:17:57Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003376#M255340 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You need to add another condition to you current authorization policy which looks for the AD:ExternalGroup and set that equal to your OU in AD. Click the plus button in the current policy to add another conidition to this policy.</P></BODY></HTML> Fri, 13 Jul 2012 13:39:51 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003376#M255340 Tarik Admani 2012-07-13T13:39:51Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003377#M255355 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Your are refering to the authorization policy whereas I do not ( i am talking about the authentication ) , the moment i get the prompt of the switch for username+pass and i am using a correct domain user i will be granted access , the authorization policy doesnt come in effect here , am I wrong ?</P><P>At this specific case i am not trying to authorize the user to a specific network vlan or envirounment but to only control the users allowed to admin the switch .</P></BODY></HTML> Fri, 13 Jul 2012 13:48:43 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003377#M255355 vvvnnnzzz 2012-07-13T13:48:43Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003378#M255373 <HTML><HEAD></HEAD><BODY><P>That is correct, you can not limit authentication to a specific group of users, only the database they reside in. It is up to the authorization policy then to find what group they are a member of and then give the configured access.</P><P></P><P>Thanks,</P><P>Tarik admani</P></BODY></HTML> Fri, 13 Jul 2012 13:52:35 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003378#M255373 Tarik Admani 2012-07-13T13:52:35Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003379#M255396 <HTML><HEAD></HEAD><BODY><P>Thank you for the quick replys , and now&nbsp; ok , I've configured the following authorization policy :</P><P>Rule Name : Nad Auth</P><P>Conditions</P><P>if: Any</P><P>AND : AD1:ExternalGroups EQUALS IT_Departments</P><P>Permissions , then PermitAccess</P><P></P><P>What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same <SPAN style="text-decoration: underline;">device group</SPAN> a choose before .</P><P>How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?</P></BODY></HTML> Fri, 13 Jul 2012 14:03:05 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003379#M255396 vvvnnnzzz 2012-07-13T14:03:05Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003380#M255432 <HTML><HEAD></HEAD><BODY><P>Do not worry about the condition on the left since those are for the internal endpoint and user database. you will use the original policy you pasted but click the <SPAN __jive_emoticon_name="plus" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/plus.gif"></SPAN> and combine it with the AD external group so that when both conditions succeed you will then get the result you referenced in the policy.</P><P></P><P>Thanks,</P><P>Tarik Admani</P></BODY></HTML> Fri, 13 Jul 2012 14:09:56 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003380#M255432 Tarik Admani 2012-07-13T14:09:56Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003381#M255460 <HTML><HEAD></HEAD><BODY><P>I think i understood your idea , I've added the same group as a condition and combined with the AD:external groups</P><P>and that should do the work .</P><P>I've attached a screenshot to display the conditions I've set </P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/5/7/95757-ise_auth_nad.jpg" class="jive-image" /></P><P>now all that remains is to test it on site <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> , since this is a limited lab envirounment .</P><P>thanks,</P></BODY></HTML> Fri, 13 Jul 2012 14:17:44 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003381#M255460 vvvnnnzzz 2012-07-13T14:17:44Z https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003382#M255499 <HTML><HEAD></HEAD><BODY><P>No problem that is how I configure the policies, please remember to rate any helpful feedback after you are finished with your testing.</P><P></P><P>Thanks,</P><P>Tarik admani</P></BODY></HTML> Fri, 13 Jul 2012 14:22:16 GMT https://community.cisco.com/t5/network-access-control/ise-aaa-radius-authentication-for-nad-access/m-p/2003382#M255499 Tarik Admani 2012-07-13T14:22:16Z