Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
5
Helpful
4
Replies

ISE Easy Connect with trusted Domains

Go to solution
netcrackercorp
Level 1
Level 1

‎05-28-2019 02:31 AM - edited ‎05-28-2019 06:04 AM

Hi all,

We are going to implement Easy Connect with Trusted Domains. 

We have groups from domain A and users from domain B. 

TEST USER tool shows that ISE goes to joint point which is domain A but cannot find an user, then it goes to domain B and pull information regarding user from there. Unfortunately there are no required groups in domain B. 

Is it normal behavior for ISE? Is it possible for ISE to understand that a group and user belong to different domains? 

ISE printscreens.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yalbikaw
Cisco Employee
Cisco Employee

‎05-28-2019 03:05 PM

this situation is complex.

 

because you are retrieving a domain local group for users in outside of this domain

 

please check this document i believe it matches your scenario 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

 

Authorization Against an Active Directory Instance

 

The following sections explain the mechanism that Cisco ISE uses to authorize a user or a machine against Active Directory.

Active Directory Attribute and Group Retrieval for Use in Authorization Policies

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

  • Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.

  • Domain local groups outside a user’s or computer’s account domain are not supported.

 

from screenshots i can see they are domain local, if they were global things would have been different.

 

 

 

 

 

 

View solution in original post

4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-28-2019 02:49 PM

I have asked the expert to take a look
0 Helpful

Go to solution
yalbikaw
Cisco Employee
Cisco Employee

‎05-28-2019 03:05 PM

this situation is complex.

 

because you are retrieving a domain local group for users in outside of this domain

 

please check this document i believe it matches your scenario 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

 

Authorization Against an Active Directory Instance

 

The following sections explain the mechanism that Cisco ISE uses to authorize a user or a machine against Active Directory.

Active Directory Attribute and Group Retrieval for Use in Authorization Policies

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

  • Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.

  • Domain local groups outside a user’s or computer’s account domain are not supported.

 

from screenshots i can see they are domain local, if they were global things would have been different.

 

 

 

 

 

 

Go to solution
netcrackercorp
Level 1
Level 1
In response to yalbikaw

‎05-30-2019 05:20 AM

Dear  Yalbikaw

Thank you for your answer. It was very useful! 

0 Helpful

Go to solution
yalbikaw
Cisco Employee
Cisco Employee
In response to netcrackercorp

‎06-07-2019 10:52 AM

happy to hear that :)

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents