topic Re: AD Nested Groups Configuration in Network Access Control

AD Nested Groups Configuration for CPP policy

Srinivasan Nagarajan — Fri, 12 Mar 2021 19:02:36 GMT

Hi Experts,

We've ISE 2.6 patch 8 and started upgrading the CM from 3.6 to 4.3 on a phased approach by adding a specific CPP policy at the top with the AD groups as other condition. If user is part of the AD group, they'll be provisioned with 4.3, all other users will continue via 3.6 access (fallback).

Now, we're planning to add the groups into the AD group which is used in the CPP configuration to accomplish the phased approach. Now, my query is on the Nested groups. Please assist.

Main Group: CM4.3_VPN_group
Nested group: Sales, Finance, IT, HR, Marketing

1.If ISE can query the nested AD groups?
2.And if yes, what’s the maximum hierarchy level that it can look into?
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

Note: Currently, only the main group is added under the External Identity Sources

Re: AD Nested Groups Configuration

Mike.Cifelli — Fri, 12 Mar 2021 16:38:34 GMT

1.If ISE can query the nested AD groups?

-Yes. They will need to be added in ISE if you wish to target those groups as a condition in policies.
2.And if yes, what’s the maximum hierarchy level that it can look into?

-Good question. Honestly not sure if there is one.
3. Should the Nested groups (Sales, Finance, IT, HR, Marketing) be added into the External Identity Sources -> AD Group Name -> Groups

-Depends if you wish to target the exact group. Otherwise all ISE needs is the top level group to reference.

HTH!

Re: AD Nested Groups Configuration

Srinivasan Nagarajan — Fri, 12 Mar 2021 17:01:42 GMT

@Mike.Cifelli

Thanks for the reply. From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.

Please confirm?

Re: AD Nested Groups Configuration

Mike.Cifelli — Fri, 12 Mar 2021 17:38:54 GMT

From the above reply, I assume (nested groups not required to be added under External Identity Sources -> AD Group Name -> Groups) and adding only the Main Group would suffice the CPP/Authorization policy to achieve the phased approach to work.

-Yes. That is correct.

Re: AD Nested Groups Configuration

Srinivasan Nagarajan — Fri, 12 Mar 2021 19:00:51 GMT

Thanks @Mike.Cifelli You've been so helpful.

Final one, I've google it but not getting much info. Any idea on how to push the Compliance Module via SCCM..?

Re: AD Nested Groups Configuration for CPP policy

Mike.Cifelli — Fri, 12 Mar 2021 19:54:53 GMT

No problem happy to help. Not really an SCCM guy so not much help there. However, you do have the ability to rely on ISE CPP to upgrade the compliance module. I assume you already are aware of that. Good luck!

Re: AD Nested Groups Configuration for CPP policy

Srinivasan Nagarajan — Mon, 15 Mar 2021 15:40:26 GMT

Hi again @Mike.Cifelli

Can you please confirm if it’s resource intensive on ISE if we push the compliance module for all users in a single shot via CPP?