https://community.cisco.com/t5/network-access-control/ldap-query/m-p/3451426#M522778 <HTML><HEAD></HEAD><BODY><P>I have a customer having some issues with creating authorization policies based on LDAP attributes. See below:</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">They want to control MAB workstations network placement based on gidNumbers.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Two authorization policies defined with ISE for MAB:</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">rule 1 - Wired_MAB and ldap:ExternalGroups EQUALS 1000 then dacl_test</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">rule 2 - Wired_MAB then dacl_no_gid</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Following device authentication via the LDAP and during the authorization phase devices matching rule #1 are skipping rule 1 and matching the simpler rule 2.&nbsp; We want to control workstation placement based on gidNumber or some other ldap group membership or ldap attribute.&nbsp; In this way, we can script ldapmodify to move workstations through various phases of our build and analysis both before and after users have done their work.</P><P style="font-size: 11pt; font-family: Calibri, sans-serif;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Is there something missing in the policy? Is there a better way to accomplish matching on the gidNumber?</P><P style="font-size: 11pt; font-family: Calibri, sans-serif;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Thanks</P><P style="font-size: 11pt; font-family: Calibri, sans-serif;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">- Paul</P></BODY></HTML> Wed, 16 Aug 2017 18:37:18 GMT pschnake 2017-08-16T18:37:18Z https://community.cisco.com/t5/network-access-control/ldap-query/m-p/3451426#M522778 <HTML><HEAD></HEAD><BODY><P>I have a customer having some issues with creating authorization policies based on LDAP attributes. See below:</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">They want to control MAB workstations network placement based on gidNumbers.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Two authorization policies defined with ISE for MAB:</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">rule 1 - Wired_MAB and ldap:ExternalGroups EQUALS 1000 then dacl_test</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">rule 2 - Wired_MAB then dacl_no_gid</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Following device authentication via the LDAP and during the authorization phase devices matching rule #1 are skipping rule 1 and matching the simpler rule 2.&nbsp; We want to control workstation placement based on gidNumber or some other ldap group membership or ldap attribute.&nbsp; In this way, we can script ldapmodify to move workstations through various phases of our build and analysis both before and after users have done their work.</P><P style="font-size: 11pt; font-family: Calibri, sans-serif;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Is there something missing in the policy? Is there a better way to accomplish matching on the gidNumber?</P><P style="font-size: 11pt; font-family: Calibri, sans-serif;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">Thanks</P><P style="font-size: 11pt; font-family: Calibri, sans-serif;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif;">- Paul</P></BODY></HTML> Wed, 16 Aug 2017 18:37:18 GMT https://community.cisco.com/t5/network-access-control/ldap-query/m-p/3451426#M522778 pschnake 2017-08-16T18:37:18Z https://community.cisco.com/t5/network-access-control/ldap-query/m-p/3451427#M522779 <HTML><HEAD></HEAD><BODY><P>What version/Patch Level are you running on ISE?</P><P></P><P>You might try to write</P><P></P><P><SPAN style="color: #3d3d3d; font-family: Calibri, sans-serif; font-size: 14.6667px;">rule 1 - ldap:ExternalGroups EQUALS 1000 and <SPAN style="color: #3d3d3d; font-family: Calibri, sans-serif; font-size: 14.6667px;">Wired_MAB </SPAN>then dacl_test</SPAN></P></BODY></HTML> Thu, 17 Aug 2017 12:41:53 GMT https://community.cisco.com/t5/network-access-control/ldap-query/m-p/3451427#M522779 Charlie Moreton 2017-08-17T12:41:53Z https://community.cisco.com/t5/network-access-control/ldap-query/m-p/3451428#M522780 <HTML><HEAD></HEAD><BODY><P>Thanks. They are running 2.2 but not sure of the patch level. And, the customer figured it out. He was able to fix the ldap gid issue by using the gid as an attribute rather than trying to match the gid from the group.</P></BODY></HTML> Thu, 17 Aug 2017 14:31:43 GMT https://community.cisco.com/t5/network-access-control/ldap-query/m-p/3451428#M522780 pschnake 2017-08-17T14:31:43Z