cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

176
Views
5
Helpful
4
Replies
Beginner

ISE Easy Connect with trusted Domains

Hi all,

We are going to implement Easy Connect with Trusted Domains. 

We have groups from domain A and users from domain B. 

TEST USER tool shows that ISE goes to joint point which is domain A but cannot find an user, then it goes to domain B and pull information regarding user from there. Unfortunately there are no required groups in domain B. 

Is it normal behavior for ISE? Is it possible for ISE to understand that a group and user belong to different domains? 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE Easy Connect with trusted Domains

this situation is complex.

 

because you are retrieving a domain local group for users in outside of this domain

 

please check this document i believe it matches your scenario 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

 

Authorization Against an Active Directory Instance

 

The following sections explain the mechanism that Cisco ISE uses to authorize a user or a machine against Active Directory.

Active Directory Attribute and Group Retrieval for Use in Authorization Policies

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

  • Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.

  • Domain local groups outside a user’s or computer’s account domain are not supported.

 

from screenshots i can see they are domain local, if they were global things would have been different.

 

 

 

 

 

 

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: ISE Easy Connect with trusted Domains

I have asked the expert to take a look
Cisco Employee

Re: ISE Easy Connect with trusted Domains

this situation is complex.

 

because you are retrieving a domain local group for users in outside of this domain

 

please check this document i believe it matches your scenario 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

 

Authorization Against an Active Directory Instance

 

The following sections explain the mechanism that Cisco ISE uses to authorize a user or a machine against Active Directory.

Active Directory Attribute and Group Retrieval for Use in Authorization Policies

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

  • Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.

  • Domain local groups outside a user’s or computer’s account domain are not supported.

 

from screenshots i can see they are domain local, if they were global things would have been different.

 

 

 

 

 

 

View solution in original post

Beginner

Re: ISE Easy Connect with trusted Domains

Dear  Yalbikaw

Thank you for your answer. It was very useful! 

Cisco Employee

Re: ISE Easy Connect with trusted Domains

happy to hear that :)