topic Re: ISE deployment - AD Group in Network Access Control

ISE deployment - AD Group

cnezakaren — Thu, 06 Feb 2020 07:14:48 GMT

Hi,

I am deploying ISE right now, I have just joined AD.

My purpose was to add my AD user as superadmin so I can log into ISE with full access without using default or internal account.

To do that, I had to add a group from Directory... but the group includes more users and I don't want all them to have the full access to ISE.

How can i get around that issue ? For information, my team doesn't manage AD, AD is monitored by another team..

Thank you for your help.

Re: ISE deployment - AD Group

Arne Bier — Thu, 06 Feb 2020 10:29:16 GMT

When using an external User Group for ISE Admin login, you can only apply a "group" concept to the login authentication. It's purely membership based. Unlike the nice tools we have for RADIUS/TACACS+, we cannot perform any regular expressions or pattern matching to the Admin username entry.

Your bets bet would be to create a separate AD Group and move your power users there. Or not use AD at all, and then create local ISE Admin users.