https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3865122#M472615 <P>Dear&nbsp;<SPAN>&nbsp;</SPAN><SPAN class="UserName lia-user-name lia-user-rank-Cisco-Employee lia-component-message-view-widget-author-username"><SPAN class="">Yalbikaw</SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-Cisco-Employee lia-component-message-view-widget-author-username"><SPAN class="">Thank you for your answer. It was very useful!&nbsp;</SPAN></SPAN></P> Thu, 30 May 2019 12:20:21 GMT netcrackercorp 2019-05-30T12:20:21Z https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3863710#M472605 <P>Hi all,</P><P>We are going to implement Easy Connect with Trusted Domains.&nbsp;</P><P>We have groups from domain A and users from domain B.&nbsp;</P><P>TEST USER tool shows that ISE goes to joint point which is domain A but cannot find an user, then it goes to domain B and pull information regarding user from there. Unfortunately there are no required groups in domain B.&nbsp;</P><P>Is it normal behavior for ISE? Is it possible for ISE to understand that a group and user belong to different domains?&nbsp;</P> Tue, 28 May 2019 13:04:44 GMT https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3863710#M472605 netcrackercorp 2019-05-28T13:04:44Z https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3864121#M472609 I have asked the expert to take a look<BR /> Tue, 28 May 2019 21:49:20 GMT https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3864121#M472609 Jason Kunst 2019-05-28T21:49:20Z https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3864129#M472611 <P>this situation is complex.</P> <P>&nbsp;</P> <P>because you are retrieving a domain local group for users in outside of this domain</P> <P>&nbsp;</P> <P>please check this document i believe it matches your scenario&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html</A></P> <P>&nbsp;</P> <H2 class="topictitle2">Authorization Against an Active Directory Instance</H2> <DIV> <P>&nbsp;</P> <DIV class="section"><A name="reference_77DFFA97638E4A6782C4BE7559463D95__section_46A12EA4E0F648B6BFD1A00FA4253B34" target="_blank"></A> <P>The following sections explain the mechanism that Cisco ISE uses to authorize a user or a machine against Active Directory.</P> </DIV> </DIV> <DIV class="nested2" lang="en_US"><A name="ID496" target="_blank"></A> <H3 class="topictitle3">Active Directory Attribute and Group Retrieval for Use in Authorization Policies</H3> <DIV> <P><A name="ID496__ID497" target="_blank"></A>Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.</P> <P><A name="ID496__ID498" target="_blank"></A> Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:</P> <UL> <LI><A name="ID496__li_42DBC7FEB74F467B86AA794D5CFD4771" target="_blank"></A> <P>Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.</P> </LI> <LI><A name="ID496__li_03DA80423BE34F07A3320603AF0F449B" target="_blank"></A> <P><FONT color="#FF0000"><U><EM><STRONG>Domain local groups outside a user’s or computer’s account domain are not supported.</STRONG></EM></U></FONT></P> </LI> </UL> <P>&nbsp;</P> <P><FONT color="#000000">from screenshots i can see they are domain local, if they were global things would have been different.</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> </DIV> </DIV> <P>&nbsp;</P> Tue, 28 May 2019 22:05:56 GMT https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3864129#M472611 yalbikaw 2019-05-28T22:05:56Z https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3865122#M472615 <P>Dear&nbsp;<SPAN>&nbsp;</SPAN><SPAN class="UserName lia-user-name lia-user-rank-Cisco-Employee lia-component-message-view-widget-author-username"><SPAN class="">Yalbikaw</SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-Cisco-Employee lia-component-message-view-widget-author-username"><SPAN class="">Thank you for your answer. It was very useful!&nbsp;</SPAN></SPAN></P> Thu, 30 May 2019 12:20:21 GMT https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3865122#M472615 netcrackercorp 2019-05-30T12:20:21Z https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3869651#M472617 <P>happy to hear that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Fri, 07 Jun 2019 17:52:52 GMT https://community.cisco.com/t5/network-access-control/ise-easy-connect-with-trusted-domains/m-p/3869651#M472617 yalbikaw 2019-06-07T17:52:52Z