topic Re: Policy Set wrapper Creation with user AD group name in Network Access Control

Policy Set wrapper Creation with user AD group name

Jay Tiwari — Thu, 11 Apr 2019 05:42:46 GMT

Hi Team,

One of my customers wants to create Policy Set with condition of user AD group (at cover of policy set), however, i don't see option to select the AD group name.

Is there any idea if we will support in upcoming releases.

Thanks,

Jay

Re: Policy Set wrapper Creation with user AD group name

Arne Bier — Thu, 11 Apr 2019 05:55:21 GMT

While I understand the requirement, I doubt ISE would do this, since it is non sensical because authentication has not yet taken place. In the Policy Set Conditions were are checking the radius attributes for hints about the type of authentication (e.g. Service-Type, etc) and who is making the request (e.g. NDG which is basically checking the source IP of the request ). Even if ISE had the ability to check AD Group, you would first need to have passed authentication in order to care about the users AD attributes and groups. It would be very CPU intensive to perform this check for every radius request prior to the authentication stage.

AD Group checks are generally done during Authorization because it makes sense to do it here. Why does this not meet the customer’s needs?

Re: Policy Set wrapper Creation with user AD group name

Mohammed al Baqari — Thu, 11 Apr 2019 06:53:33 GMT

Hi,

I don't see how this will work. Technically you can read AD group before
authenticating the user successfully to get its attribute

Re: Policy Set wrapper Creation with user AD group name

Jason Kunst — Thu, 11 Apr 2019 10:22:02 GMT

I don’t get your response. Authentication simply checks if the credentials are valid and then continues onto authorization