Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
3
Replies

Policy Set wrapper Creation with user AD group name

Go to solution
Jay Tiwari
Cisco Employee
Cisco Employee

‎04-10-2019 10:42 PM

Hi Team,

One of my customers wants to create Policy Set with condition of user AD group (at cover of policy set), however, i don't see option to select the AD group name.

 

Is there any idea if we will support in upcoming releases.

 

Thanks,

Jay

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-10-2019 10:55 PM

While I understand the requirement, I doubt ISE would do this, since it is non sensical because authentication has not yet taken place. In the Policy Set Conditions were are checking the radius attributes for hints about the type of authentication (e.g. Service-Type, etc) and who is making the request (e.g. NDG which is basically checking the source IP of the request ). Even if ISE had the ability to check AD Group, you would first need to have passed authentication in order to care about the users AD attributes and groups. It would be very CPU intensive to perform this check for every radius request prior to the authentication stage. 

AD Group checks are generally done during Authorization because it makes sense to do it here. Why does this not meet the customer’s needs?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎04-10-2019 10:55 PM

While I understand the requirement, I doubt ISE would do this, since it is non sensical because authentication has not yet taken place. In the Policy Set Conditions were are checking the radius attributes for hints about the type of authentication (e.g. Service-Type, etc) and who is making the request (e.g. NDG which is basically checking the source IP of the request ). Even if ISE had the ability to check AD Group, you would first need to have passed authentication in order to care about the users AD attributes and groups. It would be very CPU intensive to perform this check for every radius request prior to the authentication stage. 

AD Group checks are generally done during Authorization because it makes sense to do it here. Why does this not meet the customer’s needs?

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎04-10-2019 11:53 PM

Hi,

I don't see how this will work. Technically you can read AD group before
authenticating the user successfully to get its attribute
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mohammed al Baqari

‎04-11-2019 03:22 AM

I don’t get your response. Authentication simply checks if the credentials are valid and then continues onto authorization
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents