Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2370
Views
0
Helpful
6
Replies

Authorization rule to match both AD OU and Group

Go to solution
Madura Malwatte
Level 4
Level 4

‎06-15-2019 06:57 AM

We have a AD domain added to ISE with two sub-organizations, say orgA and orgB - these are the two OU's. We want to use ISE to match computer objects from only a single OU (orgB). So for example we have Domain Computers AD group, but the objects in this group are either in orgA or orgB, and we only want to match ones from orgB. Would my authorization policy condition be something like this:

if:

AD1:DistinguishedName MATCHES .*(ou=orgB).* AND

AD1:ExternalGroups EQUALS AD1/Users/Domain Computers

then: PermitAccess

Basically orgA objects should not be authorized by ISE, only orgB. There was another discussion here saying "not recommended to use OU, which is not indexed, so would result in poorer performance" Is there an alternative way to make this work without performance hit? How bad would the poorer performance be?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-15-2019 06:45 PM

Hi

Using not indexed attributes can have really bad performance but it depends on your AD.
Take a look on the following Cisco Live presentation: https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3432.pdf
Look at page 176, you have links explaining which attributes are indexed and how to index them.

Also, you have 2 domains but do you want to use always only 1 domain and not the other? If so White list domain can help without using specific attributes.

The other thing is that you can have multiple domain and add groups based on domains. Groups will have the domain name as prefix and you will be able to select the correct one in your rules (ISE uses the SID and not the name itself).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-15-2019 06:45 PM

Hi

Using not indexed attributes can have really bad performance but it depends on your AD.
Take a look on the following Cisco Live presentation: https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3432.pdf
Look at page 176, you have links explaining which attributes are indexed and how to index them.

Also, you have 2 domains but do you want to use always only 1 domain and not the other? If so White list domain can help without using specific attributes.

The other thing is that you can have multiple domain and add groups based on domains. Groups will have the domain name as prefix and you will be able to select the correct one in your rules (ISE uses the SID and not the name itself).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Francesco Molino

‎06-16-2019 05:48 PM

Hi Francesco thanks for the reply. Just to clarify its actually just one domain and the different orgs sit under their own OU. So whitelist domain wont help. 

If I understand correctly we can use OU distinguished name attribute IF this attribute has been indexed on AD side? Once indexed it won't cause any performance issue on ISE correct?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Madura Malwatte

‎06-16-2019 07:03 PM

Never had to deal with your same requirements but used some specific attributes indexed and didn't experience any performance issue.

In this area the ad architecture is important anyway like which domain server to authenticate when on multi site architecture and this is managed on your AD. I believe this is well explained on the Cisco Live pdf.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
craig.beck
Level 1
Level 1
In response to Madura Malwatte

‎06-17-2019 05:55 AM

Using "Domain Computers" isn't something I'd do if you're using simple OUs to separate resources on the domain. You should probably be using specific AD security groups for each sub-org. That will make policy configuration simple.

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to craig.beck

‎06-21-2019 08:42 AM

Okay but if I had to do it this way. Is the matching statement for distinguished name correct that I have here?

 

AD1:DistinguishedName MATCHES .*(ou=orgB).* 

0 Helpful

Go to solution
craig.beck
Level 1
Level 1
In response to Madura Malwatte

‎06-22-2019 05:07 AM

I've not tested it, but yes it looks like the Regex would work with a minor tweak. You'll need to be case-sensitive with the expression, so:

 

.*(OU=orgB).*

 

You'd might want tighten up the Regex though to ensure it matches the exact OU and that it can't be abused via other OUs being created in AD. If you look at what a current user/computer's DN looks like via ISE's AD Attributes page you can pull the rest of the string to put in the Regex. In my lab it's:

 

CN=labuser,OU=Lab,DC=lab,DC=local

 

So my Regex would be:

 

(CN=).*(OU=Lab,DC=lab,DC=local)$

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents