https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564742#M517625 <HTML><HEAD></HEAD><BODY><P>Sorry Michael, I misinterpreted your question! I think the only way to accomplish what you want to do with ISE is to have those users with the “A” accounts be a member of a user group in the directory….so they could be a member of the “A” group to gain access to ISE administration. I was reading your request as device administration for some reason.</P><P></P><P>George</P></BODY></HTML> Mon, 26 Feb 2018 19:45:11 GMT gbekmezi-DD 2018-02-26T19:45:11Z https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564739#M517622 <HTML><HEAD></HEAD><BODY><P>Dear experts, </P><P></P><P>while migrating some ACS solution,&nbsp; our partner is challenged with an option, that exists in ACS 5.x, but seems to be hard to build in ISE.</P><P>The goal is to trigger and authorize with an&nbsp; "external AD membership", which is fine, but then also "Require the Username" to fulfill an extra condition = (example)&nbsp; "Begins with A".</P><P>So any ISE-Admin, who could authenticate and achieve a "Super-Power-Role", not only is member of a specific AD-Group, but also has been assigned a "Username = Starts with A". Only if both match, he would achieve the "Super-Power-Role".</P><P>Reason beeing, that structured User-Naming was enforced with this condition, whereas membership for other users in the same AD group could not be prevented.</P><P></P><P>We had a look at various UI elements, but did not achieve to find a way to squeeze this "Condition check" into the Authorization rules. </P><P>All we are offered is "External Group, whereas ACS has this setting as shown below.</P><P></P><P><IMG alt="2018-02-26_ACS-Settings.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/115505_2018-02-26_ACS-Settings.png" style="height: auto;" /></P><P></P><P>Kind regards</P><P>/michael</P></BODY></HTML> Mon, 26 Feb 2018 17:18:29 GMT https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564739#M517622 mvassigh 2018-02-26T17:18:29Z https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564740#M517623 <HTML><HEAD></HEAD><BODY><P>Would this work for you?</P><P></P><P></P><P></P><P>I just tested with Network Access:UserName STARTS_WITH as well as TACACS:User STARTS_WITH and they both work.</P><P></P><P></P><P>George</P></BODY></HTML> Mon, 26 Feb 2018 18:15:11 GMT https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564740#M517623 gbekmezi-DD 2018-02-26T18:15:11Z https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564741#M517624 <HTML><HEAD></HEAD><BODY><P>Dear George, </P><P></P><P>thanks for highlighting the option, but would this apply for ISE-UI login process as well ?</P><P>I thought Network-Access is for "Pass-Through" not "Pass-To" Authentications, meaning that "some device" is asking for Authentication-Services, versus ISE-UI itself is asking for that.</P><P></P><P>Does that make sense ?</P><P>regards</P><P>/michael</P></BODY></HTML> Mon, 26 Feb 2018 19:21:25 GMT https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564741#M517624 mvassigh 2018-02-26T19:21:25Z https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564742#M517625 <HTML><HEAD></HEAD><BODY><P>Sorry Michael, I misinterpreted your question! I think the only way to accomplish what you want to do with ISE is to have those users with the “A” accounts be a member of a user group in the directory….so they could be a member of the “A” group to gain access to ISE administration. I was reading your request as device administration for some reason.</P><P></P><P>George</P></BODY></HTML> Mon, 26 Feb 2018 19:45:11 GMT https://community.cisco.com/t5/network-access-control/ise-admin-access-extra-condition-with-external-username-quot/m-p/3564742#M517625 gbekmezi-DD 2018-02-26T19:45:11Z