https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554001#M511018 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>How can I check if an username retrieved from the certificate common name belongs to a specific AD group? In the policy set I can match against the general AD as an external group object <SPAN style="font-size: 13.3333px;">(have a look at the attached screenshot) </SPAN>so ISE performs a lookup among all AD groups&nbsp; but, is it possible to reference the exact AD group?</P><P>I need to create different <SPAN style="font-size: 13.3333px;">authorization rules for </SPAN>my 802.1x wireless clients based on the AD group they belong to.</P><P></P><P>Regards.</P></BODY></HTML> Thu, 05 Apr 2018 13:54:59 GMT Antonio Macia 2018-04-05T13:54:59Z https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554001#M511018 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>How can I check if an username retrieved from the certificate common name belongs to a specific AD group? In the policy set I can match against the general AD as an external group object <SPAN style="font-size: 13.3333px;">(have a look at the attached screenshot) </SPAN>so ISE performs a lookup among all AD groups&nbsp; but, is it possible to reference the exact AD group?</P><P>I need to create different <SPAN style="font-size: 13.3333px;">authorization rules for </SPAN>my 802.1x wireless clients based on the AD group they belong to.</P><P></P><P>Regards.</P></BODY></HTML> Thu, 05 Apr 2018 13:54:59 GMT https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554001#M511018 Antonio Macia 2018-04-05T13:54:59Z https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554002#M511019 <HTML><HEAD></HEAD><BODY><P>If your ISE is of 2.x and fresh install, then there should be a Preloaded_Certificate_Profile with Use Identity From set to Subject - Common Name. If this is not there, you may create one with similar settings.</P><P></P><P>Then, select it for authentication and the AD group/attribute lookups in authorization will be using the common name field as the username.</P><P><IMG __jive_id="116341" alt="Screen Shot 2018-04-05 at 7.21.40 AM.png" class="image-1 jive-image" src="/legacyfs/online/fusion/116341_Screen Shot 2018-04-05 at 7.21.40 AM.png" style="height: 258px; width: 620px;" /></P><P></P><P>BTW... I do not think your existing condition would work well as the AD external groups in ISE 1.3+ are represented in SIDs.</P></BODY></HTML> Thu, 05 Apr 2018 14:27:58 GMT https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554002#M511019 hslai 2018-04-05T14:27:58Z https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554003#M511020 <HTML><HEAD></HEAD><BODY><P>The CAP that Hsing mentions is how you identify what attribute in the certificate is used for identity (i.e. Common Name, etc). If you want to check that credential against your AD as part of the Authentication stage, you would also need to select your AD in the Identity Store dropdown box.</P><P></P><P>You can provide differentiated access for different AD user groups in the Authorisation Policy using the &lt;AD&gt;:ExternalGroups EQUALS &lt;group&gt; attribute.</P><P><IMG alt="Screen Shot 2018-04-06 at 9.11.34 am.png" class="image-1 jive-image" src="/legacyfs/online/fusion/116381_Screen Shot 2018-04-06 at 9.11.34 am.png" style="height: 152px; width: 620px;" /></P><P></P><P>-Regards</P><P>Greg</P></BODY></HTML> Fri, 06 Apr 2018 00:10:43 GMT https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554003#M511020 Greg Gibbs 2018-04-06T00:10:43Z https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554004#M511021 <HTML><HEAD></HEAD><BODY><P>Thanks Gregory and hslai. </P><P>I was creating the AuthZ conditions from the Policy Set menu instead from the Library Conditions and couldn't find the group selection. </P></BODY></HTML> Mon, 16 Apr 2018 15:57:19 GMT https://community.cisco.com/t5/network-access-control/query-specific-ad-group-using-certificate-common-name/m-p/3554004#M511021 Antonio Macia 2018-04-16T15:57:19Z