Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
0
Helpful
3
Replies

Query specific AD group using certificate common name

Go to solution
Antonio Macia
Level 3
Level 3

‎04-05-2018 06:54 AM

Hello,

How can I check if an username retrieved from the certificate common name belongs to a specific AD group? In the policy set I can match against the general AD as an external group object (have a look at the attached screenshot) so ISE performs a lookup among all AD groups  but, is it possible to reference the exact AD group?

I need to create different authorization rules for my 802.1x wireless clients based on the AD group they belong to.

Regards.

Preview file
21 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-05-2018 05:10 PM

The CAP that Hsing mentions is how you identify what attribute in the certificate is used for identity (i.e. Common Name, etc). If you want to check that credential against your AD as part of the Authentication stage, you would also need to select your AD in the Identity Store dropdown box.

You can provide differentiated access for different AD user groups in the Authorisation Policy using the <AD>:ExternalGroups EQUALS <group> attribute.

Screen Shot 2018-04-06 at 9.11.34 am.png

-Regards

Greg

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-05-2018 07:27 AM

If your ISE is of 2.x and fresh install, then there should be a Preloaded_Certificate_Profile with Use Identity From set to Subject - Common Name. If this is not there, you may create one with similar settings.

Then, select it for authentication and the AD group/attribute lookups in authorization will be using the common name field as the username.

Screen Shot 2018-04-05 at 7.21.40 AM.png

BTW... I do not think your existing condition would work well as the AD external groups in ISE 1.3+ are represented in SIDs.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-05-2018 05:10 PM

The CAP that Hsing mentions is how you identify what attribute in the certificate is used for identity (i.e. Common Name, etc). If you want to check that credential against your AD as part of the Authentication stage, you would also need to select your AD in the Identity Store dropdown box.

You can provide differentiated access for different AD user groups in the Authorisation Policy using the <AD>:ExternalGroups EQUALS <group> attribute.

Screen Shot 2018-04-06 at 9.11.34 am.png

-Regards

Greg

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Greg Gibbs

‎04-16-2018 08:57 AM

Thanks Gregory and hslai.

I was creating the AuthZ conditions from the Policy Set menu instead from the Library Conditions and couldn't find the group selection.

0 Helpful
Customers Also Viewed These Support Documents