topic Re: Impact of Moving AD Group on ISE in Network Access Control

Impact of Moving AD Group on ISE

mumbles202 — Tue, 11 Oct 2022 16:17:27 GMT

Currently I'm using ISE in front of most network devices and referencing an AD group for admins. That group membership isn't changing, but I do need to move it to another OU within Active Directory. What changes do I need to make in ISE, if any, since the path to the group will be changing?

Re: Impact of Moving AD Group on ISE

balaji.bandi — Tue, 11 Oct 2022 16:30:46 GMT

First i would add other OU to ISE and test it, before removing old one.

Re: Impact of Moving AD Group on ISE

mumbles202 — Tue, 11 Oct 2022 17:06:28 GMT

Can I add a 2nd group with the same name? Path is currently:

mydomain.local/DomainGroup/Groups/NetAdmins

And would be moving to the following path:

mydomain.local/IT/SecurityGroups/NetAdmins

Re: Impact of Moving AD Group on ISE

balaji.bandi — Wed, 12 Oct 2022 11:26:53 GMT

You can add another one to same rule, if the user belong to mydomain.local/DomainGroup/Groups/NetAdmins or mydomain.local/IT/SecurityGroups/NetAdmins

Add one test user in the new mydomain.local/IT/SecurityGroups/NetAdmins and test it.

Re: Impact of Moving AD Group on ISE

Aref Alsouqi — Wed, 12 Oct 2022 11:35:36 GMT

If you are using the AD groups on the policy rules then you wouldn't need to do anything on ISE as the AD group path wouldn't change if you change the OU. However, if you are using the OUs, or, if you want to start using the OUs then you need to set up your policies to look at the OUs. Take a look please at this post of mine that shows all the required steps:

https://bluenetsec.com/how-to-use-active-directory-ous-in-cisco-ise-authorization-rules/

Re: Impact of Moving AD Group on ISE

mumbles202 — Wed, 12 Oct 2022 14:24:45 GMT

Thanks for the reply. I'm currently doing authorization based on AD group membership, not the OU an account resides in.

If I go into ISE and the following path:

Administration --> External Identity Sources --> Active Directory --> Groups (after selecting my domain)

I see the groups I'm referring to listed, along w/ the path to the group. If I go to:

Work Centers --> Policy Elements

and then select the element I'm using it shows the following:

mydomain:ExternalGroups
Equals --> current path to group in AD.

I tested moving the group in AD last night to the new OU and confirmed I was still able to login to devices, but the path never go updated. Does ISE just go based on the SID of the group once the group is added to ISE? I was able to click "Add" under groups and locate the new path, but as the SID is the same as the old it wouldn't allow me to save it. And when I manually edited the currently defined group with the new path it failed to save as the group is in use in a policy.

It seems to work fine, just wanted it to be consistent in case someone else has to look at it in the future.

Re: Impact of Moving AD Group on ISE

Aref Alsouqi — Wed, 12 Oct 2022 17:22:29 GMT

You can select the groups, remove them, and then re-add them.

Re: Impact of Moving AD Group on ISE

mumbles202 — Wed, 12 Oct 2022 17:31:22 GMT

Thanks. I just have to go back in and update my element then to reflect the new group (same name, new path)? Will any rules error out as the element will be invalid while I'm making the changes?

Re: Impact of Moving AD Group on ISE

Aref Alsouqi — Thu, 13 Oct 2022 11:14:22 GMT

If the AD groups paths change, then yes you would need to go the policy sets and updating the rules.