https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267596#M920710 <HTML><HEAD></HEAD><BODY><P>The same effect. The ISE said "Authentication failed : 15039 Rejected per authorization profile".</P><P>I tried 3 groups without success.</P></BODY></HTML> Wed, 26 Jun 2013 08:38:50 GMT Marco Serato 2013-06-26T08:38:50Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267592#M920706 <P>Hello</P><P></P><P>I´ve got a problem with the authorization to use a condition with an External Group from the LDAP.</P><P>I bind the LDAP-Server to the ISE and can select all groups that I need for my authorization condition.</P><P></P><P>Now I want to create an authorization profile with the use of the group “Admins”.</P><P>My policy looks like:</P><P></P><P><STRONG>LDAP: ExternalGroups EQUALS CN=Admins,DC=mydomain,DC=com</STRONG></P><P></P><P>The live monitor said every time reject by authorization profile. If I use NOT EQUALS, then the computer get access to the network. It is very confused, because the computer is a member of the group “Admins”.</P><P></P><P>Can anybody help?</P><P></P><P>Many thanks.</P> Fri, 21 Feb 2020 12:54:33 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267592#M920706 Marco Serato 2020-02-21T12:54:33Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267593#M920707 <HTML><HEAD></HEAD><BODY><P>I've seen issues while selecting LDAP as an external db with condition/attribute as ExternalGroups. Could you please go to live authentication , clcik on the magnifying glass and paste the details of failed attempt. I would like to know if this group is coming up in the memberOf attributes for the user. </P><P></P><P></P><P>Jatin Katyal <BR />- Do rate helpful posts -</P></BODY></HTML> Tue, 18 Jun 2013 08:42:28 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267593#M920707 Jatin Katyal 2013-06-18T08:42:28Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267594#M920708 <HTML><HEAD></HEAD><BODY><P>The appendix is an excerpt. I used the group "domain computers" for test. But I can´t see the group in the attributtes.</P><P>I hope it is helpful.</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>In the appendix are some missing. Here are the Other Attributes:</P><P></P><P>MTU=1500,CPMSessionID=AC1C01C7000000040022D940,EndPointMACAddress=93-9A-88-AD-18-EE,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.178.254,Called-Station-ID=02:81:D0:11:EC:31</P></BODY></HTML> Wed, 19 Jun 2013 07:54:11 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267594#M920708 Marco Serato 2013-06-19T07:54:11Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267595#M920709 <HTML><HEAD></HEAD><BODY><P>Since it's not coming in authentication request there is no way the condition will get matched. Please don't use domain computers group for user authentication. Could you please assign user a different group like domain admins and test again.</P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Thu, 20 Jun 2013 12:08:27 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267595#M920709 Jatin Katyal 2013-06-20T12:08:27Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267596#M920710 <HTML><HEAD></HEAD><BODY><P>The same effect. The ISE said "Authentication failed : 15039 Rejected per authorization profile".</P><P>I tried 3 groups without success.</P></BODY></HTML> Wed, 26 Jun 2013 08:38:50 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267596#M920710 Marco Serato 2013-06-26T08:38:50Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267597#M920711 <HTML><HEAD></HEAD><BODY><P>post screenshot of your authorization rules.</P></BODY></HTML> Mon, 01 Jul 2013 16:35:46 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267597#M920711 edondurguti 2013-07-01T16:35:46Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267598#M920712 <HTML><HEAD></HEAD><BODY><P>Here the screenshot</P><P><BR /><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/9/7/2/144279-Authorization%20Policy.jpg" class="jive-image" /></P></BODY></HTML> Wed, 03 Jul 2013 07:29:16 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267598#M920712 Marco Serato 2013-07-03T07:29:16Z https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267599#M920713 <HTML><HEAD></HEAD><BODY><P>Has anybody an idea? The problem still exists. </P><P>I have bind the LDAP add groups from directory once again. But the same effect. </P><P>If I use </P><P></P><P><STRONG>LDAP:ExternalGroups Equals CN=domain computers,OU=computer, DC=mydomain,DC=com</STRONG></P><P></P><P>Mycomputer get no network access. Without this condition I get full access. I despair of this problem.</P></BODY></HTML> Wed, 28 Aug 2013 14:32:44 GMT https://community.cisco.com/t5/network-security/cisco-ise-ldap/m-p/2267599#M920713 Marco Serato 2013-08-28T14:32:44Z