Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
5
Helpful
2
Replies

What to do if user matches multiple external groups in authorization policy

Go to solution
SeanGray13740
Level 1
Level 1

‎11-08-2019 11:53 AM

I'm in the process of setting up Active Directory access to Cisco Prime through ISE. I have an AD group that I'm using to allow access to Prime through one rule, and we also have a group used to allow network device access with another rule. Because of the way the authorization policy seems to work, as soon as it runs into one of these rules, it exits the authorization, which seems to mean that I can only have one or the other.

 

By this I mean that my user account is a member of both the Prime access group and Network Device access group, but because the Network Device rule is first in the list, I can't access Prime with my AD account. Conversely, if I move the Prime rule above the Network Device rule, then I can access Prime with my AD account but then that breaks my login to Network Devices.

 

Is there a way to use both of these authorization policy rules at once? It seems kind of odd that we could only use one or the other.

 

As a troubleshooting step, I combined the access of the TACACS profiles together into one to see if I could fix it that way, but it seems to break access to Network Devices still because of the custom rules used in the Prime TACACS profile.

 

Any help on this issue would be greatly appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎11-08-2019 02:06 PM

Add a condition to your Prime authorization policy to match the Network Access:Device IP Address or Network Device:NetworkDeviceName attribute matches how you have it defined as a NAD in ISE.

 

Your rule would be: IF AD Group = Prime Access AND Network Access:Attribute equals <value>

View solution in original post

2 Replies 2

Go to solution
jj27
Spotlight
Spotlight

‎11-08-2019 02:06 PM

Add a condition to your Prime authorization policy to match the Network Access:Device IP Address or Network Device:NetworkDeviceName attribute matches how you have it defined as a NAD in ISE.

 

Your rule would be: IF AD Group = Prime Access AND Network Access:Attribute equals <value>

Go to solution
SeanGray13740
Level 1
Level 1
In response to jj27

‎11-11-2019 08:17 AM

This seems to have done the trick, thank you for the help! I added an AND to the rule with device type equals: all device types. After adding this line, I seem to be able to log into both Prime and any of my network devices as well.

 

I am a bit confused on how exactly this worked, however. Would you be able to explain a bit more? It was my understanding that once ISE matches a rule, it stops the authorization process. Is that an incorrect assumption?

 

 

0 Helpful
Customers Also Viewed These Support Documents