topic Did you select the group in in Network Access Control

only specific groups should get authenticated on ISE instead of entire AD

tabish bhat — Mon, 11 Mar 2019 06:43:27 GMT

Hello friends,

I integrated ISE to AD, but all users in AD are getting authenticated against my network devices and get landed in exec mode, though these users do not have privileges to do the configuration, only network admins are able to do so becoz i have defined admin groups names in authorization policy, now what i want to define only specific groups names in authentication policy instead of AD name, , is there any way to do so ?

Many thanks in advance.

Regards/Tash

You should just use more

jan.nielsen — Sat, 30 Apr 2016 20:17:30 GMT

You should just use more specific authorization rules for admins and then deny all others access, theres no need to create specific authentication rules.

Create a condition in the

Joseph Johnson — Sat, 30 Apr 2016 22:06:18 GMT

Create a condition in the authorization rule that requires the External Groups for the AD to contain the Network Admins domain group (whatever it is called). If you have multiple groups, use the OR operator to have multiple external groups defined.

Hi Joseph,

tabish bhat — Sun, 01 May 2016 05:01:30 GMT

Hi Joseph,

Thanks for your reply

I created below rules in authorization policy,

Rule-name -any- AD-External groups equals to (Network admin groups)

deny-rule if no-match denyall. but users are still get authenticated for level 0

Please let me know if i am doing it correctly.

Thanks & Regards

Tash

Hello Jan,

tabish bhat — Sun, 01 May 2016 05:02:36 GMT

Hello Jan,

Thanks for the reply,

But that is what i did,

I created below rules in authorization policy,

Rule-name -any- AD-External groups equals to (Network admin groups)

deny-rule if no-match denyall. but users are still get authenticated for level 0

Please let me know if i am doing it correctly

Regards

Tash

Did you select the group in

jan.nielsen — Sun, 01 May 2016 11:37:05 GMT

Did you select the group in the first column right after the word "if" ? or have you put it in the conditions column after the word "and" ? It needs to be selected in the first one. Using conditions to match AD groups does not work.

It would help if you uploaded a screenshot of the rules.

That should work. You may

Joseph Johnson — Sun, 01 May 2016 13:24:21 GMT

That should work. It depends on any rules you have before that one that could hit first. Check your authentication logs after someone attempts to log in to make sure it is working.

You may have to change the Equals to Contains. I've had issues with nested groups and the equals not hitting.

Hi Jan,

tabish bhat — Sun, 01 May 2016 16:49:22 GMT

Hi Jan,

I have chosen "any" right after "if" becoz i could not find groups that i have retrieved from AD

After "any " "and "I have selected AD-External groups equals to admingroup.

Please find the screenshot.

Thanks

Tash

That won't work, did you add

jan.nielsen — Sun, 01 May 2016 18:29:51 GMT

That won't work, did you add the groups you wan't to check for membership of in the menu External Identity Sources/Active Directory/AD-name/Groups? The ones you add there, should show up when you press the + next to "if" and select the name you gave your external ad definition.

Hi Jan,

tabish bhat — Mon, 02 May 2016 09:22:10 GMT

Hi Jan,

I need to check that becoz next to if i can see only AD- External groups and on the last tab i could find AD groups.

Thanks

Tash

Actually, i was wrong the

jan.nielsen — Mon, 02 May 2016 13:20:41 GMT

Actually, i was wrong the identity groups you select in the column after the "if" is only internal ise identity groups, it should be chosen in the regular conditions as AD:Externalgroups="the group you added to your AD settings", that group should be listed.

Hi jan

tabish bhat — Mon, 02 May 2016 13:41:10 GMT

Hi jan

Yes..that is how i created these conditions..

Admin if any AD-External-group equals networkadmingroup.

Regards

Tabish