https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3931556#M456805 <P>It was pointed out that our default policy set was not configured for best practice.&nbsp; We had been pointing the default authentication to our RSA service.&nbsp; In an attempt to change the default to deny access, I had to come up with a limiting method to prevent unnecessary/unacceptable request from being passed to the RSA service.&nbsp; I thought I would use an AD group as a userid cache to qualify what userids would be sent onto the RSA service.&nbsp; In addition, I am focused in the device admin section and the authentication I am handling is a tacacs communication.&nbsp; As I dug into it I quickly discovered I could not manually define an AD group criteria nor could I use the previously created AD identity groups that I use in the authorization policy sets.&nbsp; In fact, no identity groups are available when clicking on that icon in the authentication set.&nbsp; My sad work around is this:&nbsp; because we have standardized user account name, I took the tacacs username and qualified based on matching beginning characters of the usernames... While this works, that set is far greater than the userids I want to forward to our RSA service.&nbsp; Is this limitation engineered by design?&nbsp; Am I looking at Authentication in the wrong way?&nbsp;</P> Fri, 27 Sep 2019 15:42:13 GMT ssschunk1 2019-09-27T15:42:13Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3931556#M456805 <P>It was pointed out that our default policy set was not configured for best practice.&nbsp; We had been pointing the default authentication to our RSA service.&nbsp; In an attempt to change the default to deny access, I had to come up with a limiting method to prevent unnecessary/unacceptable request from being passed to the RSA service.&nbsp; I thought I would use an AD group as a userid cache to qualify what userids would be sent onto the RSA service.&nbsp; In addition, I am focused in the device admin section and the authentication I am handling is a tacacs communication.&nbsp; As I dug into it I quickly discovered I could not manually define an AD group criteria nor could I use the previously created AD identity groups that I use in the authorization policy sets.&nbsp; In fact, no identity groups are available when clicking on that icon in the authentication set.&nbsp; My sad work around is this:&nbsp; because we have standardized user account name, I took the tacacs username and qualified based on matching beginning characters of the usernames... While this works, that set is far greater than the userids I want to forward to our RSA service.&nbsp; Is this limitation engineered by design?&nbsp; Am I looking at Authentication in the wrong way?&nbsp;</P> Fri, 27 Sep 2019 15:42:13 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3931556#M456805 ssschunk1 2019-09-27T15:42:13Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3931618#M456806 <P>It sounds like you might be missing a step, but my bad if I misunderstood the issue. In order to have AD groups available for use within ISE policy sets, or admin access areas, you need to "add" them to ISE. <BR />1. navigate to&nbsp;https://&lt;ISE_IP&gt;/admin/#administration/administration_identitymanagement/administration_identitymanagement_external<BR />2. Click on your AD connector<BR />3. In the middle of the page you will have a "groups" tab, click it.<BR />4. Search and add AD groups you would like to leverage within ISE.&nbsp;</P> <P>&nbsp;</P> <P>At this point you will have them available when you are creating radius/tacacs rules.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ad.png" style="width: 701px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/45761iB5CBA2770C4E1506/image-dimensions/701x309?v=v2" width="701" height="309" role="button" title="ad.png" alt="ad.png" /></span></P> Fri, 27 Sep 2019 17:12:43 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3931618#M456806 Damien Miller 2019-09-27T17:12:43Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3932136#M456808 <P>You are correct on this. This is by the current design of ISE that ID groups available during authorization only but not during authentication.</P> Sun, 29 Sep 2019 16:52:24 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3932136#M456808 hslai 2019-09-29T16:52:24Z https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3933902#M456810 Thanks. Not really the answer I wanted and it really limits my authentication options. Any insight on this becoming a future feature add? Wed, 02 Oct 2019 15:41:51 GMT https://community.cisco.com/t5/network-access-control/ise-2-4-authentication-identity-groups-unavailable/m-p/3933902#M456810 ssschunk1 2019-10-02T15:41:51Z