https://community.cisco.com/t5/network-access-control/cscvg04576-fix-release/m-p/3446775#M520570 <P><SPAN style="font-family: Calibri, sans-serif;"><SPAN style="font-size: 11pt;">I have a question from an </SPAN><SPAN style="font-size: 14.6667px;">organization</SPAN><SPAN style="font-size: 11pt;">, has around 400 branches, at the moment they used a policy to make sure that employees belonging to a certain branch are connected to it, the policy they used to match device location and AD attribute ( different per branch ) to make sure that users who connects are to correct branch ( AD attribute )&nbsp; and connected to switch allocated in this branch ( device location group), the policy was working fine until they upgraded from 1.2 to 2.2, they hit&nbsp; CSCvg04576 </SPAN></SPAN><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; background: white;"> (</SPAN><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">AD:ExternalGroups NOT_CONTAINS DEVICE:Parameter doesn't work and always true), and as per TAC this bug will be on 1.3 onward,</SPAN> <SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; background: white;">my question</SPAN></P> <P>&nbsp;</P> <P style="text-indent: -.25in;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">1-&nbsp;&nbsp;&nbsp; 1- </SPAN><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; background: white;">Do have any fix release for&nbsp; CSCvg04576 </SPAN><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">or it will be supported on upcoming ISE versions ?,</SPAN></P> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">2-&nbsp;&nbsp; </SPAN><SPAN style="font-family: Calibri, sans-serif; font-size: 11pt;">Any workaround would be appreciated,</SPAN></P> Sun, 18 Aug 2019 09:22:50 GMT Sherif El Shourafah 2019-08-18T09:22:50Z https://community.cisco.com/t5/network-access-control/cscvg04576-fix-release/m-p/3446775#M520570 <P><SPAN style="font-family: Calibri, sans-serif;"><SPAN style="font-size: 11pt;">I have a question from an </SPAN><SPAN style="font-size: 14.6667px;">organization</SPAN><SPAN style="font-size: 11pt;">, has around 400 branches, at the moment they used a policy to make sure that employees belonging to a certain branch are connected to it, the policy they used to match device location and AD attribute ( different per branch ) to make sure that users who connects are to correct branch ( AD attribute )&nbsp; and connected to switch allocated in this branch ( device location group), the policy was working fine until they upgraded from 1.2 to 2.2, they hit&nbsp; CSCvg04576 </SPAN></SPAN><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; background: white;"> (</SPAN><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">AD:ExternalGroups NOT_CONTAINS DEVICE:Parameter doesn't work and always true), and as per TAC this bug will be on 1.3 onward,</SPAN> <SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; background: white;">my question</SPAN></P> <P>&nbsp;</P> <P style="text-indent: -.25in;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">1-&nbsp;&nbsp;&nbsp; 1- </SPAN><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; background: white;">Do have any fix release for&nbsp; CSCvg04576 </SPAN><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">or it will be supported on upcoming ISE versions ?,</SPAN></P> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">2-&nbsp;&nbsp; </SPAN><SPAN style="font-family: Calibri, sans-serif; font-size: 11pt;">Any workaround would be appreciated,</SPAN></P> Sun, 18 Aug 2019 09:22:50 GMT https://community.cisco.com/t5/network-access-control/cscvg04576-fix-release/m-p/3446775#M520570 Sherif El Shourafah 2019-08-18T09:22:50Z https://community.cisco.com/t5/network-access-control/cscvg04576-fix-release/m-p/3446776#M520571 <HTML><HEAD></HEAD><BODY><P>First to add responses already provided by Hsing...</P><P></P><P><EM>"AFAIK this is by the current design. The only workaround is to use memberOf attribute but that works with direct members only and not primary groups and could incur performance impact.&nbsp; I would recommend to add and use a specific attribute for the customer use case, instead of trying to match group names.</EM></P><P></P><P><EM>The AD runtime in ISE 1.3 moved to a new implementation such that we are using SIDs for groups instead of the names to be more efficient. Thus, I consider this a bug to address by roadmap(s) and would need PM involvement."</EM></P><P></P><P>I recommend the use of a specific attribute that matches location as defined by ISE Network Device Groups.&nbsp; This way you could have a single policy rule that is similar to the following:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; IF Device:Location EQUALS AD1:Location"</P><P></P><P>This would allow you to control network access based on the NAD location of user (matched to their location defined in AD/LDAP).&nbsp; You could also try using AD LDAP which I think is the same suggestion by Hsing to use memberOf.&nbsp; A cleaner method would be to use attribute like AD Location which is an Indexed attribute in AD.</P><P></P><P>Craig</P></BODY></HTML> Mon, 23 Oct 2017 19:03:45 GMT https://community.cisco.com/t5/network-access-control/cscvg04576-fix-release/m-p/3446776#M520571 Craig Hyps 2017-10-23T19:03:45Z